1. Disconnect the Infected Device from Any Network Right Away
When ransomware strikes, this is the first step to take and it’s the most critical one. To avoid other computers from being infected through the network, make sure the infected PC or smart device is totally disconnected. No LAN, no Wi-Fi, no Bluetooth, no GPS. This is also relevant when the infected user is working remotely from a public or home network.
2. Unplug Any USB, SD or External Drive
You may still have a chance to save data on external drives from being infected, so the earlier you disconnect them, the better. Put the USB, SD or external drive away, but do not connect it to another computer right away.
3. Collect Information from the User
Most users will be scared and probably feel guilty about what just happened on their computer. Make them feel comfortable when asking questions about what just happened. Let them know every detail is precious and can save the whole company.
4. Inform Other Users
Act fast! If the infection started with a phishing email, other users in the company might have received the same type of message. So, it’s important to immediately remind all your users to remain alert. Inform them by all possible means and make them aware of how they could be infected.
5. Investigate the Infected Computer and Recover Files
If the ransomware has not totally locked the user out of the computer, you can further your investigations to identify the name of the ransomware.
- Because you never know how many malicious programs have been deployed on the computer with the attack and how many could be still dormant, execute a complete scan with your security tools. Again, do this on the isolated computer and do not reconnect it to the network.
- Uninstall any suspicious application that you might find in the programs list, especially if it was installed at the time of the attack or a few hours before.
- Websites like NoMoreRansom.org now provide decryption tools that can help you recover files encrypted by a ransomware. Download them from another computer and copy them to a dedicated USB, then install the decryption tools on the isolated infected computer. If you’re able to recover the files, copy them to another external storage.
- Unless you feel comfortable following the previous steps, the wisest option is to proceed with a re-installation and a restore of the system and data files from a backup. The files recovered with the decryption tools would be copied back to the reinstalled computer.
Recovering from a ransomware attack without paying cyber criminals is only possible with a proper backup and disaster recovery solution like Online Backup. The new Active Protection feature makes it possible to halt a ransomware attack immediately, which your usual security tools will not do. When you don’t have Online Backup Active Protection enabled, you’re able to recover data, but the process can take hours. If you have several PCs infected, this can have a serious impact on your productivity and consequently, on your revenue.