How To

How to Limit the Damage From Ransomware Attacks

By Sydney Butler / May 30, 2018

Ransomware is one of the most horrifying forms of malware to be hit with. In mid-2017 there was a global ransomware attack that knocked out businesses, critical systems, and personal computers all over the world. There's no telling what the real economic damage of this unprecedented plague of malicious software was. We do however know the personal impact.

People lose their data, hours of work and sometimes critical opportunities. At the very least cleaning up after a ransomware attack is a pain of epic proportions.

What Exactly is Ransomware?

Ransomware

As the name suggests, victims of ransomware are held to ransom by the creators of the software. It does this by quietly encrypting the contents of your hard drive and all other storage that computer is connected to. Depending on who coded the ransomware in question the encryption might not be indiscriminate. Smart ransomware will start with locations that are most likely to contain valuable information.

When the malware has encrypted enough of your data, you'll get a message from the creators. They have your data and unless you pay them, (usually in Bitcoin) you'll never get it back. It's a serious threat too since, without the key, the decryption is basically unbreakable with present-day technology.

What Not To Do

The most important thing you should know is that under no circumstances should the hackers get money. While some hackers might actually give you the key to unlock your files, in most cases they'll never come back to you. After all, why take the risk of exposing themselves by communicating any further. Apart from this, actually paying ransomware attackers means they'll keep doing it.

Recognizing an Attack

The encryption phase of a ransomware attack takes a long time. This means you have a window of opportunity before all of your information is locked away for good.

If you can spot the signs of a ransomware attack early, you can use anti-malware software to stop and remove the malware before it goes any further.

The most common sign of a ransomware attack is that files with weird extensions begin to appear. For example, in the case of the Wanna cry ransomware, some of the extensions are as follows:

You may also notice that your computer slows down suddenly, the system's CPU usage can also shoot up as the encryption cipher runs. If you notice such symptoms check your hard drive for recently created files with weird extensions. Chances are you've for a ransomware infection on your hands.

Pull the Plug Immediately

Ethernet Plug

It's very important that you immediately isolate the infected machine from the network. Pull the Ethernet. Switch off the WiFi. Unplug any USB drives. If you're lucky the ransomware hasn't jumped across to network share drives or other computers yet.

Check Your Other Machines Immediately

Even if your first infected system is a lost cause, you might still have time to limit the damage to those machines, since little data might have been encrypted.

Some ransomware also needs to call back home in order to get unique encryption keys or other instructions. Cutting off the network connection also stops that from happening.

Use Cloud Storage for Critical Files

Cloud shape cutout over cloud scenery

Services like DropBox have strong malware filters and a window of opportunity to roll back your data. The free version of DropBox can roll back your online drive to any point in the last 30 days. You just need to drop them an email with the details of your request. Be warned that free users might have to wait a while before DropBox responds. Premium users will get a quick answer and you can pay to have that safety net period extended too.

Check Your Shadow Volume

Windows has a shadow volume system that contains automatic backups of some files. Often older versions of files. While some newer ransomware now destroys the shadow volume copies of files, you can often retrieve older versions of important files by using programs such as Shadow Explorer. It won't save all your data, but it might save that one file you really could not afford to lose.

Some Ransomware has Been Cracked

In some cases, the decryption key to unlock a specific ransomware's encryption have been discovered one way or another. For example, the TeslaCrypt ransomware key is available online and will undo the damage. So if you know which ransomware you've been hit with, check Google to see if anyone has found the key to decrypting it. It's a long shot, but if you don't look you won't know.

Preventing Ransomware Attacks

While it's good to know what to do after an attack has already happened. The first and most obvious thing to do is get anti-malware software that actively monitors your computer and immediately puts a stop to it.

You should also disable office macros. Lots of malware comes in the form of code embedded in an office document. If macros are disabled it can't run. Only allow macros for documents you were expecting and who need macros to work properly.

In fact, strict control of what you click on or download from emails is a key part of preventing ransomware attacks, to begin with.

You should also make a habit of creating multiple offline backups. In which case you can simply wipe the whole system and restore from the last healthy disk image.

Don't be a Victim

Sometimes, no matter how well you prepare, something like ransomware will make it through your defenses and land a devastating blow to your system.

The most important thing you can do is to stay calm. If your data is lost, then it's lost. It's better to focus on what you can salvage. You should also make sure you have a good general security mindset. For example, every security-conscious user should be using a VPN service. One of our favorite services is ExpressVPN, give it a try and experience real peace of mind.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: