Skip to main content
Information Security

Blog Posts

Ransomware

What is ransomware? What should you do if it takes control of your system?

What is Ransomware?

Ransomware is a type of malware that takes control of a victim's files or computer and demands payment to restore access. Some ransomware known as "scareware" tries to convince users that they need to pay to eliminate viruses from their computer. Lockscreen ransomware locks the victim out of their computer, usually with a message bearing the seal of the FBI or Department of Justice that says criminal activity was detected on the computer and the user must pay a fine to recover access. Look for tips on removing these kinds of ransomware here. This article focuses on the worst form of ransomware, which encrypts your files and forces you to pay the cybercriminals within a certain amount of time in exchange for the decryption key. 

Preventative steps 

  • Educate yourself and everyone who uses your technology about phishing and social engineering. Ransomware is often spread through email attachments and links like other types of malware. 
  • Use spam filters, scan emails, and prevent executable files from being received over email to lessen the chance that an email carrying ransomware will make it to your inbox. 
  • Monitor your computer's activity vigilantly. Use a file monitoring service to detect files being altered in succession, as this can be a sign of ransomware going to work. 
  • Make sure you have user, folder, and file permissions set, and always work with the lowest possible privilege level. 
  • Most importantly, make regular and consistent backups and verify restores. Cloud storage can be compromised by ransomware, so don't depend on it to recover your files. Use a cloud-to-cloud backup service that supports file versioning so you can revert files to an earlier version, instead. 

What to do if you are infected

  • Isolate the affected computer immediately.
  • Isolate and power off any devices that may not have been corrupted completely.
  • Take backup data or systems offline.
  • Contact the Technology Help Desk at x5700 and let them know your computer has been infected with ransomware. You can also contact law enforcement.
  • Determine the scope of the infection: Did the infected machine have access to shared or unshared drives or folders, network storage of any kind, external had drives, or cloud based storage? Check these for signs of encryption. If they have been infected, the good news is they probably can't download and execute the ransomware on other computers like a worm. 
  • Use the ransom message and any other clues you have to determine the ransomware strain with google. 
  • Check online to see if anyone has made an unlocker/decrypter for this strain. It is unlikely, but worth a try.  
  • Locate backups, wipe and rebuild your computer, and restore. If you don't have a backup and you were hit by an older ransomware, you might be able to recover some files from shadow copies or other sources, so do some research. 
  • If you can't restore or access anunlocker you have two choices: 
    • Do nothing. If you can live without the files that were encrypted, wipe and rebuild your computer to get rid of the ransomware. You can make a backup of the corrupted files just in case someone comes out with an unlocker for that strain in the future. 
    • Pay the ransom. If the files are too valuable, you can try paying the ransom, keeping in mind that the criminals might not give you the decryption key even after you pay and that you are financing further cybercrime attacks.

The best way to combat malware is to consistently backup your data. If you are infected, move quickly, and there is a chance you can recover your data.