Thousands of people fall victim to ransomware every day. Here are the steps to take to maximise the chances of getting your data back
You’re working away on your charity’s computer when suddenly a message pops up on your screen.
"Your important files are encrypted. If you want to decrypt them you need to pay us."
You’ve just fallen victim to a ransomware attack.
The first thing to do is take a deep breath. Don’t panic. Multiple businesses and charities fall victim to a ransomware attack every minute, according to CyberSecurity Ventures, so you are not alone.
What you do next may be the difference between minor inconvenience and a catastrophe for your charity. By following these steps you can maximise the chance or retrieving your data, and minimise the impact of the ransomware attack to you and your charity.
As soon as you are aware of a ransomware attack, disconnect your computer from the network and any attached storage systems such as external hard drives or USB sticks. This is to try to prevent the ransomware spreading to any other of your charity’s computer systems, or to externally stored data such as backup drives.
Once you have disconnected your computer, take a photograph of the ransom note on your screen. This is important in case your charity needs to make a cyber insurance or some other insurance claim.
Since ransomware can spread from one machine to another, it’s important to tell your charity’s IT department, if it has one, or your colleagues about the attack.
That will enable them to take steps to ensure that more of your charity’s computer systems do not fall victim to the ransomware. You are also encouraged to report cyber crime and fraud to Action Fraud. It may also be necessary to inform the Information Commissioner’s Office (ICO) and the Charity Commission.
Different strains of ransomware use different methods to encrypt your data, so if you want to be able to decrypt it then it’s important to identify exactly what you have fallen victim to.
There are a number of free online services which can identify the ransomware for you after you to upload an encrypted file or the ransom note. These include ID Ransomware and Crypto Sheriff. Alternatively, if you have access to another computer, you can download a free identification tool such as the Bitdefender Ransomware Recognition Tool
Before making any attempts to retrieve your data, it is vital that you remove the ransomware infection from your computer. If you don’t, the ransomware will simply re-encrypt any data you recover and you will be back in the same situation as before. Most good endpoint protection products from vendors such as Avast, Bitdefender, or Norton should be able to do this.
Some strains of ransomware copy data, encrypt the copies, and then delete the original data. If that’s the case then it may be possible to recover some of your data using a tool such as ShadowExplorer or Recuva.
Modern encryption techniques, when properly implemented, result in encrypted files which are effectively impossible to decrypt without the encryption key which only the ransomware author possesses. (It may be possible to guess the encryption key, but a fast computer making millions of guesses per second could take thousands of years to chance upon the correct key).
The good news is that in some cases the ransomware authors have not implemented the encryption correctly, or the decryption keys (or ways to generate them) have leaked out into the public domain. That means that if you have fallen victim to one of these strains of ransomware then it is possible to decrypt your files and restore access to your data. To make this easy many security researchers have created decryption tools.
To decrypt your data, head to a decryption tool repository such as NoMoreRansom or Heimdal Security’s decryption tool directory. If the strain of ransomware you identified in step 4 above is listed then download the decryption tool, and then follow the instructions to decrypt your data.
If no decryption tool exists for the ransomware that has encrypted your files, then the next course of action is to delete the encrypted data files (or better still store them somewhere offline in case a decryption tool becomes available at a later date) and restore it from a backup.
This, of course, presupposes that an up-to-date backup of your data exists, and the backup has not also been encrypted or infected by the ransomware. Backups are more likely to be out of date or encrypted if they are carried out manually (perhaps every evening) and stored on a second hard drive or a connected external drive than they are if they are carried out automatically to a backup storage service in the cloud such as Livedrive or Carbonite.
To ensure that no trace of the ransomware remains on your computer, some security experts recommend completely wiping your hard drive and reinstalling the operating system and all applications before restoring your data.
If no decryption tool exists and restoring data from a backup is not possible (or the data is too far out of date to be useful) then the final option is to consider paying the ransom.
There are a number of important things to consider carefully: