What To Do When You're Hit With Ransomware

Craig Pollack | Jul 19, 2017

What To Do When You're Hit With Ransomware

Ransomware. The word alone should send chills down the spine of any IT professional. And any business owner or operator as well.

But, before we dive in to what to do when you're hit with ransomware, let's first start out with some of the clues that you may have, in fact, been compromised. Relatively speaking, it's fairly straightforward to determine if you're affected by ransomware.

Here are the primary symptoms:

  • you suddenly can't open normal files
  • you get errors such as the file is corrupted or has the wrong extension
  • an message appears on your desktop with instructions on how to pay to unlock your files
  • a program appears warning you that there's a countdown until the ransom increases or you'll lose access to your files forever
  • a window opens to a ransomware program and you can't close it
  • you see files with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML

Of course, these are all bad signs. If you see anything like any of these, immediately take the following actions:

  1. Disconnect your computer
    1. unplug the network cable from your computer
    2. turn off any wireless (ie: Wifi, Bluetooth, etc.)
  2. Determine the scope of the infection. Check for the following signs of encryption:
    1. mapped or shared drives (ie: your network drives)
    2. network storage devices (NAS drives)
    3. external hard drives
    4. USB flash drives
    5. cloud based storage: Onedrive, Dropbox, Google Drive, Anchor, etc.
    6. other computers / workstations that are infected
  3. Determine the strain of the ransomware
    1. what kind of ransomware is it?  
  4. Determine the response

Now that you know the scope of the infection, it's time to repair and cleanup the damage. Naturally, if you're one our clients the first reponse is to call FPA (although full disclosure: we haven't had to respond to one of these situations in months - because our clients are so well protected!).  That said, if you aren't a current client and you get hit, here are your options:

  1. First Option: Restore from backups
    1. LOCATE YOUR BACKUPS!!!
    2. remove the ransomware from your infected systems
    3. restore files from backups
    4. determine how the infection got in and address (can you say "user training"?!)
  2. Second Option: Try to Decrypt Your Files Yourself
    1. although starting to be more common, this is still a pretty rare option
    2. determine the strain and version
    3. locate a decryptor; if successful - decrypt your files
    4. determine how the infection got in and address (user training!!!)
  3. Third Option: Negotiate and/or pay the ransom
    1. convert $'s into some sort of cryptocurrency (ie: Bitcoin)
    2. pay the ransom via crptocurrency
    3. acquire the unlock code
    4. decrypt your files
    5. determine how the infection got in and address (user training!!!)
  4. Fourth Option: Do nothing

Obviously, having to resort to any of these is bad.  We'd much rather prefer that our clients didn't have to deal with this at all. To ensure your business doesn't have to deal with any of these scenarios, our preferred method is prevention.

Again, I don't want to sound like a broken record (so I won't). Instead, check out some of our other blog posts to see more details:

Suffice to say, if you are one of our Managed Service clients and you're fully on our "FPA Stack", then you've positioned yourself well. As with anything in the cyber security world, there's no 100% guarantee. But, I can guarantee you that, odds are, the hackers will be working on other, less protected networks.

 

What do you think? Has this info been helpful? Let us know in the Comment box below or shoot me an email if you’d like to chat about this in more detail.

Click Here to Request Your Free Technology Review Call Today

Author

Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 25 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best secure and leverage their technology to achieve their business objectives.

Comments