Tue, May 27, 2014

Ransomware Removal: 6 Tips to Get Your Data Back

It’s 4:00 PM on Friday. Your IT director has just called to tell you that there appears to be a problem with key data on your system. A user of the network opened an attachment, and now her machine and the shared drive she accesses and uses routinely are encrypted. Worse, there is a demand note displayed on her system.

Your data is being held for ransom.

What do you do?
  1. Act quickly
    Many pieces of specialized malware known as ransomware have a time limit. Delay can cause the ransom costs to increase, allow for a deeper infection or lose access to the option to pay for the encryption key.
  2. Quarantine
    Disconnect the affected machine from the network
    DO NOT MOVE DATA or remove the malware….yet!
  3. Determine exposure
    What storage devices were attached to the attacked machine?
    What network drives were mapped to it?
    What sensitive data is on the machine?
    Remember that many versions of this attack also include a download of hidden, credential-stealing malware or spam-based malware.
  4. Verify your backups and preserve logs
    Restore your data to a separate machine.
    Verify the copy before removing data from old machine.
    Keep all logs for the affected system and network – make sure that they are not rolling over or being open to encryption.
    If you can . . . wipe the old drive and rebuild.
  5. Call Kroll cybersecurity for expert help (1-866-419-2052)
    Kroll will have the affected machine checked for malware.
    Kroll can install monitoring software to check to see if the attacker is really gone.
  6. Call the police/law enforcement
    Kroll will help you provide a copy of the attacking malware.

Watch Now

Kroll's Cyber Security Ransomware Webinar is available on demand.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.