grandeduc - Fotolia

Ransomware attack recovery pointers for when you've been hit

Ransomware recovery is a complex and expensive process, and an attack can happen to anyone. Taking precautions and acting early could save your data -- and a good amount of money.

Ransomware is a pervasive threat in the IT world, and can target anyone. Thanks to evolving technology and well-practiced scripts, even seasoned professionals in the world of data protection and recovery can find themselves under siege.

I'm still amazed that I was the victim of a ransomware attack. As an analyst, writer and educator, I've been involved in security-related activities for many years, but I still became a victim. Much of the focus on ransomware today is prevention, but ransomware attack recovery is just as important a topic. Here, I will discuss what happened, how I responded and lessons I learned from the incident.

Every ransomware attack is unique, and tactics are evolving constantly. Hopefully, this experience will help you lay the groundwork for a ransomware recovery plan and avoid common errors.

The initial attack

My ransomware experience started in a way that will be familiar to many: I was on the internet when suddenly the laptop screen flashed a message that my computer had been locked.

Mistake No. 1. I kept the system on, instead of shutting it down. Once I read the message, I called the number provided on the screen to hopefully have the lock disabled, and, of course, that was the beginning of my experience. The people on the other end seemed very friendly and understanding, but to get out of my predicament, I had to make the first of what turned into several "investments."

Despite the name, the initial ransom portion of the attack is rarely presented as such. Instead, a victim's data is reported as locked, and the money required to unlock the data is presented as payment for services intended to help.

In my situation, the initial investment was about $400, plus $4 a month for a year to obtain the firm's "security services." They sent me a document with contact information and the promise that, if I experienced additional issues, I could call the number provided and receive assistance. Regrettably, to unlock my laptop I had to turn over control of the system to the company.

Mistake No. 2. Never relinquish contact of your system to someone else, especially someone you don't know. Unbeknownst to me, while the repairs were being made, my saviors were in fact surfing inside my system, looking for passwords and other access mechanisms, further complicating my recovery plan down the line.

Soon, my laptop was "fixed" and returned to me. All seemed well at that time. True, I was out $400 and an additional $50 for the coming year, but I mistakenly thought my troubles were over.


A few days later, I made the error of answering my phone when the incoming caller ID said "unavailable."

Never relinquish contact of your system to someone else, especially someone you don't know.

Mistake No. 3. If it's not a number or message you know, don't answer it. One of the most difficult aspects of ransomware attack recovery, along with the fact that you might not realize your data is being attacked, is that as long as lines of communication are open, the attack will continue. I took the call, and it was the same firm who rescued me from before. But this time it was a new and well-practiced message.

They claimed to have accidentally "credited" me with $3,000 and wanted me to return their money. What I didn't realize at that moment -- and subsequently learned, to my horror -- was that they had gotten into my bank accounts and moved $3,000 from one account to another, claiming they had accidentally credited my account. In the moment I panicked, as they threatened to lock up my system again if I didn't send them the money.

All sense of reason left me at that time, so I proceeded to obtain Google cash cards and moved $2,000 onto those cards. Attackers are counting on this sort of reaction in order to keep getting payments from a victim, so remaining calm is key to ransomware attack recovery.

Next, I put those cards on my printer/scanner, and the firm scanned the Google cards to get the funds. Needless to say, they wanted more.

They told me that they had installed software in my system that they could activate at any time to lock up my computer. By this time, I had paid them $2,400. I searched my C drive and found the software, but couldn't delete it, as it required a password I didn't have. During this time I still didn't shut down my system.

When I finally turned off the system and powered it back on, it seemed to be operating normally. But, of course, the firm had already accessed passwords and other security articles.

Ransomware attack recovery and aftermath

I stopped answering calls from unknown numbers and took the system to a local Best Buy where they had a Geek Squad in operation. I purchased a $200 service contract that was good for one year. The Geek Squad took my laptop, and by the next day, they had removed the bad software, cleaned my system and installed an ad blocker and a stronger firewall as compared to the existing software in my laptop. A day later, I returned to the Best Buy and bought another laptop for $700, configured similarly to my regular laptop and had the Geek Squad install the same security tools and ad blocker they installed on my primary system.

Once I dealt with the technology aspect of my ransomware response, I began to address the financial repercussions. I contacted my bank, which froze my accounts until I could sort out my computer security issues. I also changed passwords, and have since been much more diligent when spending time on the internet.

By drawing out the ransomware process, my attackers were not only able to keep asking me for more money, but also make my eventual recovery more difficult. The more time they have to occupy your system, the harder it will be for you to recover data and get back to business as usual. Below are some of the key takeaways I learned:

  • Stay away from suspicious and unfamiliar websites. They could be a front for hackers ready to launch phishing and ransomware attacks.
  • If something threatens the system, shut down the device immediately and disconnect any contact with the internet.
  • Install ad blocker software to reduce the likelihood of surfing to a risky website.
  • Install military-grade security software and as strong a firewall as you can afford.
  • If you think you might have been the victim of a ransomware attack, don't answer calls with caller ID messages like "unavailable" and "restricted." If possible, answer only calls from a caller you know until the issue is sorted out.
  • These kinds of incidents can happen to virtually anyone, and the hackers know this. They will have formulated scripts that are very compelling when dealing with victims and designed to induce panic that may make you more inclined to pay up.

My experience cost me almost $3,500 -- a very costly lesson coming from carelessness and the belief that my system was secure.

Next Steps

Take our quiz to test your ransomware recovery knowledge

Plan ahead to prevent future attacks on your data

Dig Deeper on Disaster recovery planning and management

Data Backup