Ransomware Emergency: These Tips Will Help You

Ransomware is a well-known type of malware that encrypts important data on your PC and then demands a ransom to unlock it. The consequences can be extremely costly or result in the permanent loss of all encrypted data. In a ransomware emergency, quick action and a clear head are essential. Only then do you have a realistic chance of regaining control over your data and preventing further damage.

In this article, we walk you through the initial steps to take during a ransomware emergency. We cover tips and strategies that help when you have been hit by ransomware and need to remove it. Additionally, we provide valuable guidance on how to respond efficiently in the immediate aftermath of a ransomware attack.

Immediate Steps in the Event of a Ransomware Incident

As soon as you detect malware on your computer, the first thing you should do is disconnect the PC from the internet. Turn off Wi-Fi, Bluetooth, and NFC immediately to prevent the malware from spreading to other files or systems on your network. Next, assess which data is affected by the encryption. Typically, this includes mapped or shared folders from other computers, network storage devices of any kind, external hard drives, USB storage devices (USB sticks, memory sticks), connected phones, or cameras. Cloud-based storage such as Dropbox, Google Drive, and OneDrive can also be affected.

Then determine whether any data or credentials have been stolen. Check your logs and DLP software for signs of data exfiltration. Look for unexpectedly large archive files (e.g., .zip and .arc) containing sensitive data that may have served as staging files.

In the next step, look for malware, tools, and scripts that could have been used to search for and copy data. One of the clearest signs of ransomware-related data theft is a notification from the attackers claiming that your data and credentials have been stolen. Then identify the specific type of ransomware -- there are different variants such as Ryuk, Dharma, and SamSam. Once you know the extent of the damage and the type of ransomware involved, you can make an informed decision about how to proceed. 5 specific rules of conduct are also available on the Norton website.

Stolen Data and Payment

Now that you know what type of ransomware incident you are dealing with, how many systems are affected, and which data has been encrypted, we can move forward in our checklist. In most cases, the ransomware gang aims to extort a ransom in exchange for unlocking your data. Alternatively, the data remains encrypted with no apparent financial benefit for the extortionists. Below, we examine both scenarios and walk through the specific steps in detail.

Extortion of Payment for Your Data

While it may sound counterintuitive, paying for the release of your data is often the quickest way to resolve a ransomware infection. You transfer a specified amount within a given timeframe, usually displayed on the lock screen. Bitcoin enables these transfers to be made anonymously. In some cases, you may be able to negotiate the deadline and the amount with the ransomware gang -- though expectations should remain low.

Once the computer is unlocked, you should immediately back up your files to an external location and carefully remove the ransomware. To ensure no residual or shadow files remain on your system, restoring from a clean backup is recommended. This backup should come from an uninfected storage device to prevent further incidents. After the restoration is complete, make sure to patch all vulnerabilities on your system and network to guard against future attacks.

Encryption Without Payment

The second case involves the encryption of your data by ransomware without any apparent financial motive. The primary intent here is to disrupt business operations. This often results in significant personnel costs and productivity losses for the affected organization. Independent remediation is extremely difficult in such scenarios. We therefore recommend preparing for recovery from a backup. Software-based decryption is a time-consuming process that newer ransomware versions already prevent successfully.

When there is no option to regain control through payment, the ransomware gang typically aims for the complete destruction of your data. The only effective countermeasure is maintaining regular backups and decentralized data copies that can be restored after resetting your system. During this process, clean your system thoroughly and ensure that no folders, archives, or files created by the ransomware remain. Even after this step, comprehensive security hardening is strongly recommended.

Conclusion: Eliminating Ransomware and Practicing Prevention

As you can see, ransomware is a powerful method for disabling your computer and parts of your network. Attackers typically pursue two goals: causing damage to your business and extorting a ransom. However, even after your data has been unlocked, the challenge of ransomware and incident response is far from over. We therefore strongly recommend creating regular backups of your system to counter the threat posed by ransomware gangs. This is the only way to preserve your data in an emergency and effectively address vulnerabilities in your systems.

Beyond responding correctly to a ransomware incident, prevention within your own organization is a critical aspect of cybersecurity. Computers and devices on the network should be secured so that encrypting them with ransomware becomes as difficult as possible for attackers. Employees should also be thoroughly educated about the methods and intentions of online extortionists. IT security training and digital awareness programs are therefore recommended for every company. For individuals, exercising caution when browsing the internet and handling downloads also goes a long way. The BSI has compiled further information on the threat landscape and prevention.