A ransomware attack can be debilitating, regardless of whether the victim is a one-person business or a large multinational company. Seeing a computer display showing that systems are compromised or trying to access encrypted files and being prompted by a demand for money to unlock or decrypt creates nothing short of total panic. Without access to corporate files and systems, work stops, and business is irreparably harmed.
Knowing how to detect, respond and remove ransomware, should an attack occur, is key to minimizing damage.
How to detect a ransomware attack
Prevention is key. Once ransomware has infected a system, it can be difficult -- if not impossible -- to remove. However, ransomware is often detected only after it is announced by an attacker, for example, via a pop-up on the screen.
Other ransomware infection indicators include alerts from antimalware software, lagging system performance, blocked access to files and anomalous network behavior.
Can ransomware be removed?
Ransomware removal is challenging. Sometimes, it is possible to remove ransomware; sometimes, it is impossible to eliminate the malware from the systems it infected. The key is to minimize the likelihood that any kind of malware, including ransomware, penetrates the systems' network. Accomplish this by adhering to the following security best practices:
- Do not connect devices to an infected or suspicious network.
- Do not access websites that appear suspicious.
- Do not open attachments on suspicious emails.
- Do not click on links in emails, posts on social media or other potentially dangerous messages.
- Do not install pirated or unknown software and content.
- Do not talk to perpetrators or pay ransom demands.
- Do install antimalware software on the system and keep software up to date.
- Do configure a firewall(s) with strong security settings and regularly updated rules.
- Do back up files and OSes in secure locations; consider using cloud storage for backups.
- Do store files in a separate external drive.
- Do periodically run tests of networks to identify suspicious activity.
Steps to remove a ransomware infection
Ransomware attacks will inevitably make it past security defenses, regardless of proper preparation and security hygiene. At this point, it is critical to detect the attack as early as possible and prevent it from spreading to other systems and devices.
Individuals and organizations alike can follow these steps for removing ransomware. Employees hit by ransomware should notify their manager and help desk team immediately.
Step 1. Isolate the infected device
Immediately disconnect the affected device from any wired or wireless connections, including the internet, networks, mobile devices, flash drives, external hard drives, cloud storage accounts and network drives. This will prevent ransomware from spreading to other devices.
Also, check if any devices connected to the infected device were infected by the ransomware.
If ransom has not been demanded yet, remove the malware from the system immediately. If the ransom has been demanded, be cautious in engaging with the perpetrators, if at all. Many sources, including the FBI, recommend against paying the ransom.
Step 2. Determine the type of ransomware
Knowing which strain of ransomware infected the device can help in remediation efforts. If device access is blocked, as in locker ransomware, this may not be possible. The infected device may need to be examined by an experienced security professional or diagnosed with a software tool. Some tools are available as freeware, while others require a paid subscription.
Step 3. Remove the ransomware
Before recovering the system, the ransomware must be removed. During the initial hack, ransomware software infects a system and encrypts files and/or locks system access. Only a password or decryption key will unlock or decrypt the restriction.
There are a few options for ransomware removal:
- Check if the ransomware is deleted. Ransomware sometimes deletes itself after it has infected a system; other times, it stays on a device to infect other devices or files.
- Use antimalware/anti-ransomware. Most antimalware and anti-ransomware software can quarantine and remove the malicious software.
- Ask security professionals for help. Work with a security professional, either at the organization or third-party tech support, to assist with ransomware removal.
- Remove it manually. If possible, check the software installed on a device, and uninstall the ransomware file. This is recommended only for seasoned security professionals.
Note that, even if ransomware is removed, it may still be difficult to access encrypted files. Ransomware decryption tools are available, and many antimalware and anti-ransomware options offer this feature. But keep in mind that decryption tools are not available for every strain of ransomware.
As part of forensic activities, IT teams should perform a detailed scan of the device or system to ensure no ransomware remnants remain. It may be necessary to quarantine affected devices to ensure they are thoroughly cleaned before returning them to service.
Step 4. Recover the system
Recover files by restoring a previous version of the OS from before the attack occurred. If backups were not encrypted or locked, restore them using the System Restore function. Note, any files created after the last backup date will not be recovered.
Most mainstream OSes have tools to recover files and provide other capabilities to restore compromised systems.
After recovering the system, be sure to do the following: