We at Graham Cluley Security News have talked a lot about how ransomware strains target users and pressure victims into paying the ransom. As part of that ongoing effort, we've discussed a number of techniques users can employ to defend against a ransomware attack.
But we haven't addressed the concerns of users dealing with an active crypto-malware infection.
It's time we remedied that.
We hope that you never experience a ransomware infection. In the event that you do, and you didn't take the essential precaution of having a secure backup to hand, here is how you should respond.
- Take a deep breath.
Ransomware developers would love nothing more than for you to panic. That's why they spend so much time outfitting their creations with features that are specifically designed to scare you into paying the ransom.
For instance, the first variants of Jigsaw came equipped with a counter that spelled out when the ransomware would flat-out delete some of a victim's files.
Meanwhile, Cyber.Police has built a reputation around convincing victims they've run afoul of the US intelligence community.
Don't give the perpetrators of such attacks the satisfaction of getting all worked up. Instead, take a deep breath and commit yourself to responding to the attack in a calm and controlled manner.
Check to see if you have a secure backup of your encrypted data that you can recover from. It's important to ensure, of course, that the backup itself hasn't been corrupted by the ransomware infection.
Having a proper backup infrastructure is the most effective way to recover from a ransomware attack - as past victims like the San Francisco metro system have discovered - but if that's not an option for you, there are still recovery steps you can explore....
- Remove the ransomware from your computer.
First things first: clean your computer of the active ransomware infection. You can do so by installing an anti-ransomware tool onto your computer. The solution will hopefully be able to detect the malicious program and remove it from your machine.
Unfortunately, that's not always easy to do. Some ransomware samples are configured to prevent users from installing anti-virus solutions and similar products on their computers. To circumvent such behavior, try booting your computer into Safe Mode and installing the solution. If that doesn't work, download the tool onto a clean USB stick and plug it into your infected computer.
- Try to find a free decryptor for your affected files.
Once you've removed the ransomware from your computer, it's time you turned your attention to recovering your files. You should begin by looking for a free decryptor online.
Chances are you aren't the first victim to be affected by a particular ransomware strain, which means security researchers might have already developed a utility for the ransomware that allows victims to regain access to their files for free. Users should start at nomoreransom.org, an initiative where security firms and organizations are working together in an effort to develop free decryption tools.
- Recover your files using your data backup strategy.
If there's no free decryption tool available for the ransomware that infected your computer, try recovering your files using your data backup strategy. Assuming you followed our data backup guide, you should have at least three working copies of data. Simply choose one of the unaffected copies, restore all your data, and delete the encrypted versions once you've verified you've successfully restored your information.
- Recover your files using their Shadow Volume Copies.
Perhaps something happened to your data backups. Maybe the ransomware got to your external hard drive as well as your computer, and perhaps your cloud-based backup isn't working for one reason or another. If that's the case, you can try recovering your files by using the Shadow Volume Copy Service (VSS).
Most machines running Windows XP and up come with VSS. It's a feature that automatically takes a snapshot of every file, including those that are open, on a particular drive. Those snapshots are saved in a container known as the Shadow Volume Copy. In the event those Shadow Volume Copies are still available, you can look for the snapshots of your encrypted files and restore them using Windows or other utilities.
Click here for more information about data restoration using Shadow Volume Copies.
- Try to negotiate the ransom demand down.
Ransomware developers know that users can restore their files using Shadow Volume Copies. As a result, some actors have programmed their malware to delete those snapshots. If that's the case, and in the absence of any other data backups, you might decide you have no choice but to pay the ransom.
That doesn't mean you should pay the entire amount, however.
Many ransomware strains come with a live chat feature or other means by which you can contact the developers. You should take advantage of any of those methods if left with no other option and try to negotiate a lower ransom amount with the criminals.
If you can make them understand your plight, perhaps the attackers will agree to lower the price or even let you off the hook entirely.
- Pay the full ransom amount.
If all else fails, pay the full ransom amount and hope the computer criminals stay true to their word. It wouldn't be the first time ransomware devs stole money and didn't live up to their side of the bargain.
We hope this guide will help you if you ever suffer a ransomware infection. In the meantime, please make sure you focus on preventing a ransomware attack in the first place by avoiding suspicious links and email attachments, updating your system, and regularly backing up your critical data.