Thomson Reuters technologist Joseph Raczynski offers these tips.
Ransomware is insidious. In the near future, we will likely see this cyber tactic further honed by criminals. In a recent post, I described this scenario for how a ransomware exploitation occurs. The hacker crafts and sends a perfectly feasible email to the CFO:
“Dear Jenny, it has been too long since we last spoke! I hope all is well. The last time we chatted we were at Safeway, complaining about their so called “fresh fish” section. One of these days they will have fresh shrimp, not just the frozen variety. The reason I am writing is that our daughters are in the same softball league. They have grown up so fast! I know you are busy, so you may not be aware, but they are hoping to go to Florida for a tournament in a few months. We are trying to raise some money for the kids who currently don’t have the means to get there, can you please help by donating say $20 to the cause? You can click here to donate.”
There is a 96 percent likelihood that the CFO will click on the link in this spear phishing email. When she does, the malicious software takes root. This means that she cannot open any of her important files without a complex password—including family pictures, video, and all her client data. That complex password is available from the bad guys, but comes at a high price in Bitcoin, ranging from $350 to $10,000.
So, what do you do now?
Disconnect your network.
Your first task is to protect what you have and the best way to do this is to cut your connection to the network/internet as soon as possible. When you are under a ransomware attack, they often spread quickly to other computers on the network. Recently, one of my clients had a computer that was infected and the malicious software jumped from an attorney’s computer to the HR system, accounting server, and the document management system. That can be a very frightening scenario, and a ton of work to repair.
Take a picture.
Make sure you have an image or video of what you are seeing on your computer for your records and documentation if you file an insurance claim later.
Determine the variety of ransomware.
There are multiple types of ransomware, but for two are most common. The first is a scare tactic that appears as in the form of a pop-up advertisement claiming your computer has been encrypted. If you encounter this variety, you should breathe a sigh of relief. While you will need to run several types of antivirus software and hijack applications, your files are safe. This can be confirmed by circumnavigating the pop-ups and trying to open files. If you are able to open your files, you are in a good place. If not, you will notice that files are impossible to open without a password/key, and tend to open in a text file and are garbled letters, numbers and symbols. If this is the case, you have a decision to make.
Yes, you have scary ransomware.
You can either pay the criminals and hope they send you the decryption key to open your files—or you can see if you can fix the issue. Paying off the bad guys is generally frowned upon by the FBI because it only encourages the criminals to continue. That said, losing client files could be far worse than paying the fee. You could also wipe your computer clean and completely rebuild it, IF you have backups of all the files. This tends to be a very likely scenario for most.
If you don’t want to pay the bay guys and don’t want to admit defeat just yet, you have a few options. Typically, your technical support would assist with this, but you’ll want to clean your computer with an antivirus software to remove the virus before you deal with the encrypted files. Once that is completed, then you can search around to see if anyone else was hit by the same ransomware and look for their decryption package at No More Ransom. Each individual antivirus company also offers packages that may help decrypt the files. If you have luck, good for you, but this is generally a long shot.
Delete and reinstall.
Unfortunately, if you are hit by a legitimate ransomware attack this may be the most likely scenario. It is a painful and time-consuming process to delete everything and then reinstall every program and file, but often this is necessary.
As a final reminder, there are two underlying keys to this post. One, be very careful about what you download and click on—especially in emails. Nearly 95 percent of all malware issues come from people clicking on downloads and virus-laden email links. Two, make certain you have current backups of all your files. If you don’t back up your work, you may have no choice but to pay criminals to restore your files—and even if you do pay their ransom fee, you still may not get your files back. Be careful and backup frequently!