Author: Kevin Vinitsky (Iron Oak Defense)

As you settle in to a day at work by reviewing the latest email, one wrong click can have disastrous consequences.

Infection by Malware can happen as quickly as that, and could have come from that email or another seemingly innocuous source. Regardless of how your computer’s defenses were bypassed, the ransomware has infiltrated the network and scrambled all your files.

If you’re lucky, it may be possible to decrypt the files by restoring from a backup. If not, you may have to pay the ransom demanded by hackers. Either way it can take from several hours to several days to regain access to your systems.

So, where do you start?

While regaining access to your data is the top priority, it’s also important to gather evidence of the attack and document the recovery steps that were taken. This information can be crucial to law enforcement, your insurance company, and others who may become involved in the situation. Here’s what to do next:

• If there is a message on the screen, use your cell phone to take a picture
• Turn off the computer and unplug it from the network and any external devices ASAP. While this workstation may not be the source of the infection, it can continue to propagate the virus if left connected
• Contact the information technology (IT) department to begin the reporting and recovery process. Depending on your industry, you may have legal obligations to report the ransomware infection to your customers

While this can be a frantic time, here’s what not to do:

• Don’t be too quick to pay the ransom. Your IT provider can determine the severity of the attack and possibly regain access to the data. Paying the ransom also doesn’t guarantee you’ll get your data back and may encourage the hackers to ask for more
• Don’t use the infected computer until it has been forensically examined and cleaned by IT

You’ll need to work with your IT provider to determine which strain of encrypting ransomware has taken over your system. They will also be able to determine the extent of the infection.

The next steps depend on whether or not you are going to try to recover your data without paying ransom.  If you are going to pay, don’t remove anything from the source of the infection as it will likely affect the unlocking process. You can also negotiate a price; they may agree to a lower amount than you might think. Be ready to pay with cryptocurrency, since these threat actors don’t take credit cards or checks.

If you’ve decided against meeting the demands, it’s time to start the recovery process. If the user data on the affected system has been backed up, it is best to erase the hard drive and reinstall the operating system. The user data can then be restored.

Lastly, in either scenario, determine if filing a police report is necessary for any insurance or legal action that may come later.

Moving forward, good security situational awareness that starts with employees is the key to preventing infection. While having all files backed up is an obvious requirement, it’s important your strategy doesn’t put all your backup eggs in one basket. It’s also critical to have a robust next gen antivirus system.

The old expression, ‘an ounce of prevention is worth a pound of cure,’ is especially true in technology situations. All it takes is one misguided click to ruin your day.