If you’re the victim of a ransomware attack, you may be wondering what you should do to get your files back. Do you pay? Do you ignore it? How can you tell if your computer was infected?
Fortunately, there are steps you can take to regain control of your files. Not only can you avoid paying the ransom, but you can also find out if you were attacked and if your files were actually encrypted.
In this post, we’ll show you how to detect ransomware and what steps you can take to decrypt your files and prevent ransomware attacks in the future.
What are the Different Kinds of Ransomware?
Unfortunately, there are numerous strains of ransomware out there. Hackers are constantly looking for new ways to get money out of their victims, which ultimately breeds new threats that you need to be prepared for.
Though there are hundreds of strains of ransomware out there, with many more undoubtedly on the way, there are some key types that are most common. To give you an idea of what you might be dealing with, we have detailed these kinds below.
CryptoLocker
This particular strain changed the game in 2013, where the hacker behind the design successfully extorted almost $3 million from numerous victims. This success caught the attention of other hackers who have repeatedly tried to achieve similar numbers over the years.
Crysis
Most popularly distributed via email through attachments or links, Crysis swiftly attacks the host computer to encrypt files. It uses a particularly strong encryption algorithm which makes retrieving your files without the key exceptionally difficult. It can also infect your computer by disguising itself as an installer for legitimate programs.
GoldenEye
Many ransomware strains don’t possess a specific audience; they will attack anyone they can. GoldenEye, however, is targeted especially at human resources departments, which can cause havoc for businesses. It encrypts key files and even modifies the user’s hard drive with a custom boot loader.
LockerGoga
This particular strain targeted a variety of European manufacturing companies via a phishing email. Hundreds of computers had to be replaced due to the damage caused, costing the company hundreds.
Locky
Similarly to LockerGoga, this ransomware spreads via email disguised as an invoice. We can’t stress enough how important it is to only open email attachments from sources you truly trust. Ransomware can be incredibly deceptive. It is designed to convince you to click it, so stay wary! Locky procedurally encrypts numerous files on your device.
These are just some examples of ransomware. There are truly hundreds out there, and while you don’t need to memorize them, it’s easier to preempt them when you know what you’re looking for.
How to Detect a Ransomware Attack
Once upon a time, ransomware only struck personal computers. It wasn’t too difficult to detect, since the virus would usually take immediate effect, locking up your computer and demanding a ransom payment.
Now, personal computers and entire business networks are all targets. To achieve this, ransomware has had to get a little smarter than it once was. This makes detecting it even more difficult, but not impossible. Listed below are our top tips for detecting ransomware.
Always Check the File Extension
If you aren’t familiar with what a file extension is, it’s the bunch of letters after your file that indicate the file type. Common types include .doc or .pdf. Ransomware come with their own set of extensions, because they aren’t actually the files they are pretending to be.
If you receive an email with an attachment, always check that the file extension seems legitimate. There are numerous ransomware extensions out there, with some of the most common being .ecc, .ezz, .exx, .XRNT, and countless others. If you don’t recognize it, question it. Ransomware extensions generally look like nonsense.
Pay Attention to File Renames
This only applies if you are sharing multiple files over a large network, so this is a big warning sign for business with multiple users. File renames are not particularly common, even when shared among hundreds of people.
However, as part of the ransomware encryption process, files will be renamed numerous times, sometimes as much as four times per second. Certain software can pick up on this bizarre behavior and alert you before the ransomware can sufficiently spread.
Utilize Anti-Ransomware Agents
Finally, the best way to detect and dispose of ransomware early is to use specialized software. There are plenty of scanners out there, many of them free, which will alert you before ransomware can truly take hold.
In addition to scanners, anti-ransomware applications can also prevent ransomware from encrypting data on your hard drive. This means that even if you can’t stop the virus entirely, you can at least reduce the damage.
My Computer has Detected Ransomware, What Now?
First of all, don’t panic, and don’t make any brash decisions. Paying the ransom is never in your best interests. That is both our recommendation and the recommendation of all law enforcement. Paying can often just worsen your situation, as the hacker has no obligation to actually decrypt your files.
So, what can you do? The No More Ransom initiative is making strides to end ransomware for good, largely by providing free decryption software. This software is far from perfect, but it’s a great first step. You can actually use the file extension of the ransomware to locate the ideal decryption tool.
There is plenty of advice already out there on what to do once ransomware has been detected, but the key points include:
- Total Disconnection: This is especially true for computers connected to a larger network, but you need to disconnect entirely from all internet and Bluetooth access. Otherwise, the ransomware will only spread further.
- Document the Ransom Note: This will help with your legal and insurance options further down the road. You can take a screenshot or take a picture with your smartphone. Whatever works, just make sure you get it.
- Reboot Your Computer in Safe Mode: This mode drastically limits how many processes your computer can run, so the virus is effectively rendered useless. Think of it as a form of quarantine.
- Run Your Antivirus Software: As a final minesweeper, run your ransomware scanner or other antivirus software. It should detect the problem and remove any corrupted files.
Unfortunately, once your computer is infected, the ransomware will start deleting files almost immediately. It usually achieves this by copying the original, encrypting the copies, and destroying the original. Depending on the ransomware, this process may be reversible.
Can You Recover Deleted Files?
If you haven’t been able to prevent the ransomware from encrypting and deleting your files, not all hope is lost! You may still be able to restore some of the deleted files. It all depends on how these files were deleted. If they were overwritten, that complicates matters, but otherwise they should be relatively easy to restore.
There is plenty of free software out there that can help you recover lost files. A simple Google should set you on the right path, but remember, only ever download applications from links you recognize or trust!
Don’t Hesitate, Stay Protected
Arming yourself with the right ransomware scanner and antivirus software is key to surviving a cyberattack relatively unscathed. It is incredibly unlikely that a hacker will provide a decryption key, even if you do pay. Don’t get caught out, prepare ahead of time!
Christian Scott is the founder and operator of Malware Brains, a comprehensive cybersecurity website dedicated to educating individuals and businesses about malware and its impacts on society. With over 25 years of collective industry experience, Christian and his team of experts provide unbiased, factual information to help users understand and mitigate the risks associated with malicious software.
