We are a one-stop-shop for all your Digital Forensics, Cybersecurity, Incident Response and SOC requirements. Supported by the Sheikh Mohammed Bin Rashid establishment Dubai (SME), Digital Insights is one of the leading Cybersecurity company in UAE,  headed by Mr Mohammad Abdulla Sahail Alzaffin Al Mehairi, a former IT Director of Dubai Municipality and current IT Director of Dubai South.

  • Black Facebook Icon
  • Black Twitter Icon
  • LinkedIn - Black Circle

© All Rights Reserved by Digital Insights

Search

Ransomware — What to do when infected?

Updated: Sep 30, 2019

Getting infected by ransomware is extremely alarming but panicking will only make it worse! If you see a notification on your screen that says the computer is locked or your files are encrypted, don’t start clicking on anything. Take a step back and see your options. There are numerous steps that can help you gain control of your system (Windows) and files before you decide to pay the ransom.


P.S If you are a part of an organization and a victim of a ransomware attack, then we recommend getting a full-fledged Root Cause Analysis done on your system. This will avoid a second attack from the hacker on the compromised machine. Call us at +971 4 2415888 or +971 50 8865252 for a Root Cause Analysis to best help your business.




What kind of ransomware is it?


You'll have to find out if you've been struck by encrypting ransomware, screen-locking ransomware, or something that is pretending to be ransomware. Check if you can still access your files on the desktop or in My Documents folder.


It is a screen-locking ransomware if you cannot pass the ransom note on your screen or the note claims to be from a government security agency accusing you looking at pornography or filing false taxes and asks for a “Fine” (which isn’t half-bad).


It is an encrypting ransomware If you are able to browse through directories or applications but are unable to open office files, media files or emails (which is scary).

It is a fake ransomware attack if you can both explore the system and read most of your files. Just ignore the ransom note in this case because someone is toying with you to get some money. In such a situation, try closing your web browser. If you can’t, press the CONTROL, SHIFT and ESC keys at the same time to open TASK MANAGER. Choose the APPLICATION tab, right-click on the Browser Application and click on END TASK.


Should I pay the ransom?

Keep in mind that if it’s a screen-locking ransomware, DON’T PAY THE RANSOM. Most security experts including Microsoft advise against paying the ransom because there is no guarantee that you’ll get your files back after paying. This only encourages more attacks.


On the other hand, if you need to recover business, medical or legal documents, family photos or other important files, paying a small amount may be a possible option because sometimes ransomware criminals unlock the files after receiving the ransom. We’d suggest staying neutral to the situation and decide accordingly depending on the impact.


How to handle Encrypting Ransomware

Bear in mind that this is the most common and most harmful kind of ransomware, so implement these steps in the same order.


1. Disconnect your computer (but DON’T SWITCH IT OFF) from any devices including external disks. Go offline if you are on a network to avoid spreading the ransomware on your local network to other phones or file-syncing facilities.


2. Take a photograph of the ransom note on your screen using your phone or a camera. Try if you can take a screenshot, if yes, do that also.


4. See if deleted files can be recovered. Many types of ransomware encryption duplicate your documents, encrypt copies and delete originals afterwards. With instruments like the free ShadowExplorer you may be able to retrieve deleted files.


5. Find out which type of encryption ransomware you’re dealing with. If the ransomware has not announced its own name, then try the online tool, Crypto Sheriff or Ransomware ID, for the same. They both allow you to upload encrypted files and tell you whether the encryption is reversible or not.


6. Check if there are any decryption tools available. If you get to know the name of the ransomware then head over to No More Ransom website and explore the list of decryption tools to possibly find any matching decryptor.


7. Try restoring your files from a backup that is IF you regularly back up your computer. But before you do that, ensure that the backup files aren’t encrypted as well. Plug a backup drive into another computer or log in to an online backup facility, to check the files.


If everything looks good, you will have to wipe the drive completely, reinstall the operating system and then restore these backup files.


P.S If this process doesn’t work, you may have to either pay the ransom or surrender the files.


8. If you plan to pay the ransom, try to negotiate first. Usually, the ransomware notes come with instructions to contact the criminals running the malware. If that’s your case then contact them and strike a deal for a lower ransom. It works, contrary to what you think.


Once the deal is final, follow the payment instructions. Now, there still isn’t a guarantee that you will receive your files but most sophisticated ransomware criminals stay true to the deal.


9. If you can cut the cord on the files then reinstall the operating system. You might have to use installation CD disks/USB sticks to install the OS unless its WIndows 10 because that has a “Factory Reset” option.


10. Definitely file a police report. Even though it sounds lame, it is an important legal step in order to file a lawsuit or an insurance claim related to the ransomware attack. This also helps authorities keep an eye on futures attacks.


To find out more call us at +971 4 2415888 or +971 50 8865252


How to handle Screen-locking Ransomware


Although screen-locking ransomware isn't as frequent as it was a few years ago, it still comes up now and again. Follow these steps to deal with it.


1. Disconnect your computer (but DON’T SWITCH IT OFF) from any devices including external disks. Go offline if you are on a network to avoid spreading the ransomware on your local network to other devices.


2. Take a photograph of the ransom note on your screen using your phone or a camera. Try if you can take a screenshot, if yes, do that also.


3. Reboot your system in Safe Mode by simultaneously pressing the POWER button and the S key on the keyboard. Run an antivirus software to remove the ransomware when the computer restarts.


4. If Safe Mode doesn't work, try System Restore. Most Windows computers allow you to roll back to the last known good state.


If you are unable to access the recovery screens but have the installation disk or USB stick for that variant of Windows, reboot from it and click Repair Your Computer instead of installing the OS.


5. To clean out your system completely, run an antivirus software one or more than once.


6. File a police report. This might sound pointless, but it's an important legal step if you want to file a lawsuit or an insurance claim related to the attack. This also helps authorities keep track of future attacks.


If nothing works and you’re still scared, then contact us!


Don’t wait for things to get worse if you cannot figure out how to deal with ransomware on your own. Call us straight away at +971 4 2415888 or +971 50 8865252 immediately. We provide 24x7 ransomware and malware support!

29 views