What to do if Your Work Computer is Ransomeware'd
Malware has been a problem for business IT departments since the dawn of computers. Ever since a program could be hidden on an infected floppy disk, there have been malicious programs designed to wreak havoc, steal data, or simply destroy any computer they come in contact with. With the current age of wireless internet connections, instant downloads, and complex files, getting malware onto a work computer without the knowledge of employees are admins is easier than ever.
Among the top ranks of active malware epidemics, ransomware is easily among the worst. This recently very popular form of malicious software is designed not just to wreck your computer and potentially destroy your locally stored files, it holds your computer hostage and demands a ransom. Hence the name. Ransomware is not just a virus, it's psychological warfare meant to make the victim (in this case an innocent employee) panic and try to pay the money through untraceable electronic currency. Don't.
Today, we're here to cover what to do if you realize your computer has been infected with ransomware.
Most people have no idea when their computer is infected with malware because, naturally, malware is designed to be sneaky. It could have been anything from risky web browsing to a phishing email to a mistake made months ago that has been lurking in wait the whole time for this moment to strike. If you think you see an infection in action, flag it and delete everything associated with the suspicious file. Otherwise, don't worry about where the ransomware came from. Just what to do about it.
The trick to ransomware is encryption. Rather than simply deleting your local files, it encrypts them with a code only the malware (supposedly) has the decryption key for. In theory, this means that if you paid the hacker the requested bitcoins, they would decrypt your files and return them to use. In practice, recovery almost never happens whether or not you pay the ransom.
The ransom itself is usually where people realize they have a problem. One moment you're checking your email or entering data and the next, your screen goes blank. A hostile landing page appears with a message: "Your files have been encrypted by ransomware. If you ever want to see your precious files again, you'll send X bitcoins to XXX bank account within X hours. Otherwise, we will delete your files and you can kiss your computer goodbye."
This message is threatening, ominous, and maybe even gives you a glimmer of hope. But don't believe it. The ransom was written by a hacker who has no interest in helping you and has no reason to give your files back. In other words, the ransom is a lie even if the files could theoretically be decrypted by someone with the right key.
Accept That Your Files are Gone
So the moment you see that ransom message, the best first step for your solution is to accept that the files are gone for good. Whatever you lost, things stored locally instead of backed up on the cloud, is not coming back. This is technically good news because now you can focus your efforts on disaster recovery instead of dealing with a manipulative hacker or worrying about decryption. Files are gone, it's time to treat this situation like your computer just automatically wiped itself without your control.
Disconnect from Your Network
Now that you're ready to let go of the files (never pay the ransom), it's time to disconnect. Ransomware has been known to spread throughout a business network in order to gain more leverage. If they can take every workstation and server in your cluster, they can theoretically hold your entire business hostage.
Your best chance of preventing a system-wide attack is to disconnect your computer from the local network. If you're connected wirelessly (and can't turn off WiFi on your device because it's hacked), call your IT team to let them know what's up and to block your IP/MAC address from the network for the foreseeable.
Wipe to Factory Settings
Next, it's time to rescue your computer. Malware didn't damage the physical components, just the software and files. This means that if you wipe your computer back to factory settings, it will come back equally functional (perhaps better if it was suffering from software bloat) and ransomware-free.
If you don't know how to wipe your computer back to factory settings, check with your IT team. With many devices, your step after this will be to reinstall Windows which will start automatically.
Reload from Any Available Backups
Finally, you're ready to put your workstation back into working order. Because the hardware is fine, your computer has essentially been returned to a 'new' state and just needs to go through the initial workstation setup. It will need all your business software installed and, if you have backups, you might even be able to restore the computer (and files) to almost exactly how things were before ransomware struck.
Get More Information from IronLogix
Ransomware can happen to anybody, no matter how careful you are. It can even be let in by someone else and happens to trigger when you're on shift. If that ransomware message appears on a computer you are assigned to at work, don't panic. Keep calm, contact your IT team, and follow these steps. Your files may be gone but you may be able to save your network and restore from backup without any additional damage. For more tips on how to handle workplace IT security threats with the least amount of damage to your company, contact us today!