IT21st
Los Angeles Best IT Services Provider

What to do if you are hit by ransomware

Apr 7, 2021

Recently, we got a call from a panicked business owner that he was a victim of a ransomware attack (Malicious Malware that uses encryption software to encrypt your data) and all his important data (Word, Excel, PowerPoint, QuickBooks, etc.) was encrypted. The hacker was asking in a ransom note to pay thousands of dollars to provide the encryptions key to unlock his data. Ransomware is becoming very prevalent these days and there are not that many choices to deal with it.

Unfortunately, there is not much information out there to assist the victims, so I am writing this blog, based on our experiences dealing with clients and prospects that have had their network hit by ransomware.  Without going into the details of how you got it or giving you a lecture about prevention, here are some insights and steps that you can take to assist you with dealing with this crisis (if it happens to you) and help you to come up with an expedient resolution:   

    1. Contact a reputable IT company specializing in dealing with cybersecurity right away.  We do not advise you do it alone. 
    2. Disconnect infected computers from the internet and turn off your firewall, router, and modem immediately.  Do not turn anything on until you have taken all the precautions advised by your I.T. Security consultant. 
    3. Please do not run any Antivirus on any of the computers.  This may make the problem more complicated.  
    4. Do not pay the ransom yet. However, paying it only encourages and funds these attackers. Even if the ransom is paid, there is no guarantee that you will regain access to your files. Make sure the hacker has the key and can send you a copy of an unencrypted file.  Calculate the cost of downtime and your data before negotiating and paying the ransom. If you do not need the data, reformat and reinstall the Operating System and install your applications.
    5. Do not provide personal information when dealing with the hacker.  They usually provide you with the details on how to pay them with Cryptocurrency, such as Bitcoin.  Follow their instructions if you decide to pay them.
    6. Find out if there is a way to stop the encrypting process.  Do not attempt to run any tools or utilities unless you have a good backup and are prepared to restore the entire (or image) backup.  Also, find out the time that Ransom malware hit you.  Which drives in your network and files were hit? What was the culprit?  Did you click on a link? Maybe open an attachment?  Did it happen by itself? Gather as much information that you can get for filing a police report or coming up with an action plan to remove and eradicate the ransomware.    
    7. Figure out what type of encryption you are dealing with. The file extensions will let you know what kind of encryptions is used to lock your files. Visit, https://techviral.net/ransomware-encrypted-file-extensions/. There are decoding keys available online that can help you.  By submitting a sample of an encrypted file to I.D.- Ransomware https://id-ransomware.malwarehunterteam.com / , you can download the encryption key. You may get lucky, and one of these keys will work. Some ransomware, such as Petya, can be easily fixed by creating or copying specific files such as Master Boot Record.  Some screen locking can just be ignored by just turning the computer on and off or in a safe mode and running antivirus or antimalware. Again, proceed with caution and let professionals do this.
    8. Check out online forums such as Reddit or another technology forum for other victims and see what they have done.   
    9. Remember, there is a strong chance that the hacker could have infiltered your computer/network way before he encrypted the files and put up the ransom alert. The surest way to get rid of the attack is reformatting your computer(s) and server (s). We recommend a full security check on your network to identify the penetration point(s) and ensure adequate security is implemented before your data recovery. The statistics indicate once you are hit, they come back again. 
    10. If you have a good and recent backup, restore the encrypted data from your good backup. Restoration of your files from a backup is the fastest way to regain access to your data. Once the files are restored, scan your computer with a reputable antivirus. 
    11. If all fails and you have to pay the ransom, negotiate and see if you can lower the demand.  Most of the time, you are pressured by the hacker that if you do not pay right away, if you don’t, the ransom money will increase daily.  But ultimately, the hacker wants to be paid.  So they will negotiate.
    12. Call the FBI. It is a good idea to contact the FBI and remember that most of these hackers are residing in countries that are adversaries of the United States. So there are no jurisdictions over them. Take pictures of the ransom note and other information to file a complete police report. For more information, here is a link to the FBI’s ransomware webpage: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware .
    13. Call your bank and other financial institutions that you deal with and let them know what happened.  Many times they have guidelines that can help. 
    14. Contact your insurance company.  Dealing with ransomware is very expensive and time-consuming.  Your insurance coverage may help with paying some of the expenses.  Also, Insurance companies may have guidelines on how to handle this kind of attack. 
    15. Contact your clients and vendors.  Let them know what happened, especially if their sensitive information was compromised—file appropriate reports such as HIPAA and other compliance reports.
    16. If you put your system back on the network, make sure that all software is up-to-date with relevant patches.  Your firewall has the latest firmware updates.   Eliminate the vulnerabilities that caused the problem to begin with. Regular patching of vulnerable software is necessary to help prevent infection.
    17. Share your experience so others can benefit from it.

One last thing to remember: Ransomware criminals often attack small and medium-sized businesses. Because they do not have the latest and best security installed, and their network has many vulnerabilities that can easily be exploited. 

Time is the essence in this type of crisis. We have the knowledge and expertise to assist you. Contact us today at 855-448-2178 or info@it21st.com to help you out with your IT needs. IT21ST is a trusted name in the local community and has gained that reputation by providing quality, dependability, and a robust IT support system. Our IT Services include remote IT support, Cloud Migration, Azure Migration, Cyber Security support, Backup, and Recovery.