What are the things to do immediately on a ransomware infected device?

Expert centerCategory: RansomwareWhat are the things to do immediately on a ransomware infected device?
Arun K R Staff asked 5 years ago
1 Answers
Benson Staff answered 5 years ago

STEP 1- Disconnect

  • Immediately disconnect the infected device from any network it is on.
  • Turn of any wireless capabilities such as Wi- Fi or Bluetooth.
  • Unplug any storage devices such as USB or external hard drives.
  • Do not erase anything or clean up any files or anti-virus.
  • To find out which computer is patient zero, check the properties of any encrypted file

STEP 2- Determine the Scope

It is important to know whether the first infected machine have access to any of the following:

  • Shared or unshared drives or folders
  • Network storage of any kind.
  • External hard drives
  • USB memory sticks with valuable files.
  • Cloud based storage such as Dropbox, Box, Google Drive and Microsoft OneDrive/ Skydrive

STEP 3- Determine the Strain

  • Some infect just the files, others do the hardware.
  • Some have options other than BTC for payment.
  • There are some free decryption tools for certain strains.
  • Different strains have different ransom amounts and ability to spread.

STEP 4- Evaluate your Responses
To put it bluntly, you have 4 options, listed here from best to worst:

  • Restore from a recent backup.
  • Decrypt your files using a third party decryptor (this is a very slim chance).
  • Do nothing (lose your data).
  • Negotiate/ pay the ransom.