Ransomware is a well-known Internet malware that first encrypts important data on your PC and then demands a ransom to unlock it. This could either be very expensive or lead to the loss of all data encrypted by the software. Annoyingly enough, in case of a ransomware emergency, quick help and a cool head is required. This is the only way to regain control over your data and avoid an incident response.
In our article, you can familiarize yourself with the first measures to take in case of a ransomware emergency. We will take a look at what tips and tricks can help you when you catch an extortion software like ransomware and want to remove it again. In addition, in this article we will give you valuable tips on how to act efficiently immediately after a ransomware attack.
Direct action in the event of a Ransomware Incident
The first thing you should do as soon as you notice a computer malware is to disconnect the PC from the Internet. You should turn off Wi-Fi, Bluetooth and NFC first. This will prevent the malware from spreading to other files or systems on your network. After that, it is important to get an overview of what exactly is affected by the encryption. Most often, these are mapped or shared folders from other computers, network storage devices of any kind, external hard drives, USB storage devices (USB sticks, memory sticks), connected phones or cameras. Cloud-based storage such as Dropbox, Google Drive and OneDrive can also be affected in a ransomware incident.
Next, determine if any data or credentials have been stolen. Check logs and DLP software for signs of data leakage. Look for unexpectedly large archive files (e.g., .zip and .arc) that contain sensitive data that may have been used as staging files.
In the next step, look for malware, tools and scripts that could be used to search and copy data. One of the most accurate signs of ransomware data theft is a notice from the ransomware gang announcing that your data and credentials have been stolen. Next, it is important to identify the type of software. There are different types, such as Ryuk, Dharm and SamSam. Now that you know the extent of the damage as well as the exposure to ransomware, you can make an informed decision on what your next action will be. 5 specific rules of conduct can also be read on the Norton website.
Stolen Data and Payment
Now that you know what your ransomware incident is about, how much is affected and what data, if any, has been decisively encrypted, we can move forward in our checklist. In most cases, the intention of the ransomware gang is to extort a ransom in exchange for unlocking your data. Alternatively, the data remains encrypted without any apparent financial benefit for the extortionists. Therefore, let us take a look at both cases below and go through the specific steps in detail.
Extortion of Payment for Your Data
Even if it does not sound like it, the most convenient way to get rid of ransomware is to pay for the unlocking of your data. You transfer an amount within a specified time, which is usually displayed on the ransomware screen. With the help of Bitcoin, the transfers can be made anonymously. It may be possible to negotiate the payment deadline and the amount with the ransomware gang. However, you should not hope for this too much.
In any case, once the computer is unlocked again, you should back up your files remotely and remove the ransomware with utmost caution. To avoid leaving residues and shadow files on your system, it is a good idea to install a backup. The backup used should be imported from a non-infected storage device to avoid further incidents and payments. After the installation is complete, be sure to secure any vulnerabilities on your system or network against renewed attacks.
Encryption without Payment
The second case is the encryption of your data by ransomware, without an apparent financial background. The real intention here is incident response, disrupting processes in a business or company. This is often associated with further personnel costs and loss of work for the affected party. In such a case, independent remediation is difficult. We therefore recommend that you prepare for recovery by means of a backup. Decryption with the help of software is a time-consuming process, which is already successfully prevented by new ransomware versions.
In a variant without the possibility of regaining control through transfers, the total loss of your data is usually in the interest of the ransomware gang. This can only be mitigated by regular backups and decentralized data backups, which are imported after resetting your system. When doing so, clean your system thoroughly and make sure that no folders, archives or files created by ransomware are left behind. Even after this step, it is highly recommended to secure your system as part of data protection prevention.
Conclusion: Eliminate ransomware and practice prevention
As you can see, ransomware is a powerful method to disable your computer as well as parts of your network. In the interest are often the damage to your business as well as the classic extortion of ransom. However, unlocking your data in the process does not guarantee that you are done with the issues of ransomware and incident response. Therefore, we clearly recommend that you create regular backups of your system to fight against the machinations of ransomware gangs. This is the only way to preserve data in case of an emergency and to mitigate vulnerabilities in the system.
In addition to taking the correct action in a ransomware incident, prevention in one's own company is also an important aspect of cyber security. Computers and devices in the network should be secured in such a way that encryption by ransomware becomes a difficulty for attackers. In addition, employees should definitely be educated about the background, machinations and intentions of extortionists on the Internet. Training in IT security and digital working is therefore recommended for every company. As a private individual, it is also worthwhile to exercise a certain degree of mindfulness when surfing the Internet and working with downloads. The BSI has compiled further information on the threat situation and prevention.