A ransomware can be very disrupting to businesses and organizations. A ransomware pop up creates panic in a user. Anyone would be disturbed to see that their system’s performance is compromised or that it is trying to access encrypted files. Additionally the prompt demanding money to unlock or decrypt our system creates havoc within the organization and user. Business gets hampered by a ransomware attack as one loses accessibility to their files and systems.
A ransomware is mostly detected only when the attacker announces it. This happens, for example, through a pop up on the screen. Indicators of ransomware attack also includes antimalware software, lagging system performance, blocked access to files and anomalous network behavior.
Ransomware can be removed by following these steps:
Step 1: Isolating the infected device
We need to disconnect the affected device right after a ransomware attack from any wired or wireless connections, including the internet, networks, mobile devices, flash drives, external hard drives, cloud storage accounts and network devices. This puts barrier on the ransomware from spreading to other devices.
In a scenario, where a ransom hasn’t been demanded yet, the malware should be removed from the system immediately. If the ransom is demanded, we need to engage cautiously with the perpetrators, which agencies like FBI mostly recommends not to do so.
Step 2: Determining the type of ransomware
Remediation efforts can be facilitated if we know which strain of ransomware has infected the device. However, this is not possible in the case of a locker ransomware, as device access is blocked in this case. An experienced security professional might need to examine the device or a software tool might need to be used to diagnose. Many such tools are available as freeware, while others are available upon paid subscriptions.
Step 3: Removing the ransomware
The ransomware has to be removed before recovering the system. Initially in the course of hacking, the ransomware software infects a system and encrypts files and/or locks system access. It can then be unlocked only with a password or decryption key.
Few options for ransomware removal are as follows:
- Ransomware sometimes deletes itself after infecting. Other times, it stays on the device to infect other devices or files. So we should check if it is deleted or not.
- We can use antimalware/anti-ransomware softwares, which can quarantine and remove the malicious software.
- Ask security professionals for help. We can hire tech persons or seek professional help in the organization to assist us with the ransomware removal.
- We can also remove it manually by checking the installed software and then uninstalling the ransomware file. Only seasoned security professionals should execute this.
It might still be difficult to access encrypted files even after a ransomware is removed.
Step 4: Recovering the system
We can restore files by restoring a previous version of the OS from, that existed before the attack occurred. System Restore function should be opted if backups were not encrypted or locked. In this case, files created after the last backup date will not be recovered.
Most of the mainstream Operating Systems have tools thart can recover files and provide other capabilities to restore compromised systems.
The following activities need to be carried out after recovering the system:
- All the passwords and security access codes should be updated.
- Firewall rules should be checked and ensured, and antimalware software should be kept up to date.
- Ransomware prevention measures should be followed up to avoid future attacks.
