By Nathan Mousselli, Directing Consultant of Cyber- Security and Cyber-Investigations at Interfor International
The recent spate of global ransomware attacks has raised awareness of this cyber-threat among corporations, governments, and private citizens.
This attention has yielded a flurry of preventative prescriptions.
(CNN explains how ransomware like WannaCry affects users. Courtesy of CNN and YouTube. Posted on May 15, 2017)
Here are some rapid response measures to implement if you are hit with a ransomware attack.
Ransomware presents a unique challenge to both individuals and corporations.
The initial response is not to identify the attacker, but rather to first stop the attack from spreading and then to rescue as much data as possible.
How do you know if you’ve been hit?
Usually victims are notified of the deployed ransomware when a notification pops up on their monitor, however that is not always the case.
You might discover your system is infected when previously accessible files are suddenly un-openable, or seeing known files with new extensions such as .crypto or .locked.
First step
- Immediately disconnect from the network and the internet.
- You should also disconnect any external drives and file servers.
- The malware can spread to these devices as well and start to encrypt the files on those external devices or servers.
- Once ransomware has identified via an anti-virus or malware blocker program, immediately power down your system.
- This measure will prevent the malware from spreading, encrypting more files, and can greatly help data recovery experts recover files.
The recovery process will depend on the sophistication of the ransomware you have been infected with and value of your date.
Some ransomware encryption methods have known flaws and others are known as ‘fake’ ransomware that only change the name or extension of files without actually encrypting.
If the specific malware is not decryptable, you will need to restore your files from a backup.
- If you don’t have a backup, then we need to evaluate the value of your data.
Are you dealing with health care data, PII information or financial information?
- In these cases, you may want to reference the instructions provided by the attacker on how to pay the ransom.
- Paying the ransom without consulting an expert first is not recommended, but ultimately the decision is yours.
As you will have learned the value of pre-emptive cyber-safety the hard way, you will likely be eager to take the necessary steps to prevent these types of infections in the future.
You should start anew with your computer by reinstalling the operating system and all programs.
- Restore your user files from a known backup or existing files verified as clean.
- Install reliable anti- virus and anti-malware solutions.
- Make sure to keep up with operating system updates as they can patch flaws used to prorogate this type of malware throughout your system.
As always, be careful with the links you click in both web browsers and emails.
If they look suspicious or something seems wrong, it is best to take prudent steps in verifying the website or email source.
Interfor International is a global investigation and security consulting firm offering comprehensive domestic and foreign intelligence services to the legal, corporate and financial communities.
Interfor is staffed by highly skilled investigators and fraud examiners, many of whom have been associated with government, defense, and intelligence agencies worldwide, including the British Secret Service, Israeli intelligence, various European agencies, and the United States CID, CIA, DEA and FBI agencies.
Our investigators are also supported by a sophisticated research division using state-of-the-art technology.
Interfor is fully licensed and operates in the United States, Europe, the Middle East, the Americas, Africa and Asia.
While the nature of Interfor’s services precludes disclosing the identity of specific clients, they include Fortune 500 companies, major law firms, an international airline and a number of Western governments.