Internet users face many dangers. Cybercriminals are increasingly carrying out more sophisticated attacks to get hold of our data. We are going to have to face viruses, Trojans, computer worms and malware attacks of various kinds. If we want to be protected we must have our operating system updated and have a good antivirus. However, on some occasions our computers become infected. In this article, we are going to see what steps you should take if you are the victim of a ransomware attack.
Ransomware attacks can leave us without our data, without our money, or both. Now we are going to see what an attack of this type is and the steps we must follow to try to solve it.
What is a ransomware attack
A ransomware attack we can define it as a malicious attack that will leave our files locked or encrypted without us being able to use them. Victims will receive a message that if they want to recover these files they will have to pay a ransom. Cryptocurrencies such as Bitcoin are often required for payment to make it more difficult to follow the trail later.
In this regard, they usually use two tactics to achieve their objective, such as social engineering and lateral movement. On many occasions, cybercriminals can stage a ransomware attack early and execute it later. Thus the actual attack could occur days after the infiltration of the network. A ransomware attack can be very damaging, but acting quickly after the attack can reduce some of the damage.
Steps to follow if I am a victim
If you’ve already been a victim of ransomware, whether it’s on your company network, on your PC, or on your NAS server, you should take some general steps to minimize the impact of this popular attack.
Act smart and collect evidence
The first thing to do is act calmly and not rush into actions that we may later regret later. At that point, you may no longer be able to access many important files on your computer, but you may be able to save some that have not yet been encrypted. In this regard, do not rush to pay the ransom without first analyzing the seriousness of the situation in which we find ourselves.
The second step we must do is take a photo of the message of the ransomware attack using our mobile. Also if possible we should try to take a screenshot of the infected computer. This can help us both when filing a report later, as well as speed up the recovery process.
Isolate affected computers
In a ransomware attack, it is vital to isolate affected systems as soon as possible. The ransomware can scan the target network and can spread laterally to other systems. In this case, it is best to separate the affected computers on our network to contain, mitigate and stop the spread of ransomware.
One thing you should know is that it is not always necessary to pay to get the files back. In some web pages like No More Ransom we have many decryption tools. Once we have found out which strain of ransomware has infected our computer on web pages like the one we have just mentioned, we can do a search for the decryption tool we need.
Disable backups
At this point it is very important to protect our backup copies by separating them from the rest of the network. We must also block access to backup systems until the infection is removed. For example, a good idea is to remove all automatic syncs from our backups as we could replace the good ones with encrypted ones. Most of the modern varieties of ransomware attack after encrypting files immediately go after backups to prevent us from recovering our files.
We must also disable automated maintenance tasks, such as deleting temporary files and rotating logs from affected computers. Thanks to this we will be able to have files that can be useful in a later investigation.
Identify the ransomware variant and change your passwords
The next step we have to take is to identify the ransomware variant that has infected our computer. In this case we could use free services such as the Emsisoft ransomware identification tool or ID Ransomware. Its way of working is very simple, we have to upload an encrypted file or the ransom note left by the cybercriminal. Once the analysis is done, it will identify the strain of ransomware that has attacked us.
The next step we have to take is to change the passwords of all our online accounts once we have disconnected the affected systems from the network. Also as a precaution once the equipment has been disinfected, it would be advisable to change them again.
Report the crime and decide if you pay the ransom
The moment we are the victim of a ransomware attack, you have to contact the police and report the crime. This can help in future investigations to stop the cybercriminal and perhaps they can give you help of some kind.
Finally, regarding the payment of the ransomware ransom, in most cases it is not advisable to pay it. In the previous link you have explained all the aspects.
