It’s something from our worst nightmares: you log into your machine and you’re greeted by a locked screen and a threatening message.
Try as you might, you’re unable to get access to your computer or files: you’ve really done it this time. You’ve just been hit by ransomware.
However, many users seem blissfully unaware of the threat, and more importantly – what to do when it hits. Debate rages in security circles over the right course of action to take: do you pay up to get your data back, or ignore the demands?
Many security experts in fact advise taking the latter route, believing that monetary gain will only encourage the problem – and the user won’t have a good chance of getting their data back in any case.
However, if the data involved is critical and irreplaceable, some experts recommend taking the gamble and shelling out.
Whichever way you proceed, you’ll still need to follow some other guidelines before even thinking of recovering your data.
1) Disconnect from any local networks
Many forms of ransomware can spread rapidly between computers sharing the same local network, such as a workplace or school intranet.
As soon as you notice a ransomware infection, be sure to disconnect the affected computer from any local network to avoid contaminating your entire organisation.
If you’ve got a wired ethernet connection, this is as simple as unplugging the cable. Those on wireless shared networks will need to try to access their Internet settings and disconnect the machine.
If you’re unable to access this, shutting down the computer will give you time to deal with the situation without the risk of downing your entire network.
2) Alert law enforcement
This step might not always be applicable, and it certainly won’t result in an improvement to your predicament.
However, your local authorities should know about ransomware threats, particularly if this strain of ransomware has been localised, i.e: it specifically mimics your country’s local intelligence or federal police logos.
While the crime is unlikely to result in a conviction, it can alert law enforcement to current threats and aid ongoing investigation into the distribution and creation of new ransomware types.
3) Carefully consider your options.
Now that you’ve taken care of any immediate danger, consider whether the data you’ve lost to ransomware has backups or alternate copies elsewhere, e.g: cloud backup services, physical media, external drives or within your local network.
Even if these copies are old, they can be a much easier option than starting fresh, or trying to retrieve your current version from the clutches of malware.
However, if you’ve failed to backup your data, you’re now in a tougher position. What’s your lost data worth? Remember that paying a ransom is no guarantee for getting back your data, so be prepared to lose any money expended in regaining your files.
Generally, paying up is only indicated in cases of profound data loss, where the consequences of non-recovery would be costly or cause great hardship for the person or the organisation. For example, a multinational company who loses millions of customer records to ransomware might decide it’s worth handing over the cash.
Even still, some experts recommend against this course of action: there’s essentially no telling whether the data will be spilled or destroyed in spite of the demand being met. In most cases, it’s best to cut your losses and move on with the cleaning process (and make wiser choices in the future!)
Wondering how to avoid ransomware in the first place? We’ve got you covered. Take a look at our guide to preventing ransomware.