Skip to content

To Pay Ransomware or Not?

March 19, 2015

One of our security partners, Sophos — the developer of the Sophos Cloud End-User Protection software we use in our Flex-IT End-User Security Program — posed the following question given the recent resurgence of ransomware infections:

Should victims of locked-screen ransomware or file encrypting ransomware like CryptoLocker and CryptoWall pay the ransom to get their files back?

We generally agree with our partner’s assessment that if it is the only way to get critical files back, then you have no choice but to pay the ransom and hope for the best.

But if you’ve followed my advice through the years, you will have backups in place that at most would lose a day’s worth of data.

If you haven’t backed up, and you need those files to run your business or the encrypted data includes sentimental photos or other irreplaceable files, you’ll have to pay the ransom. In most cases, you will get the key needed to decrypt your files.

But there is more to it than just paying the ransom. The question that wasn’t addressed was what do you do before and after you’ve retrieved your files?

The answer is you must get the ransomware off of the computer, of course, but you just can’t run an anti-virus program to do that.

Because of the possibility that the hackers have left malware on your computer, and because you know it’s already evaded your anti-virus software in the first place, you need to completely erase the hard drive and replace everything — operating system, files, programs, peripherals — to ensure no remnants remain that could come back to life.

You would need to do this regardless of whether you paid the ransom or not.

To recap, you should do the following if your computer is infected with ransomware:

  1. As soon as you see warnings and demands to pay a fee or fine, disconnect the network cable from the computer and/or try to turn off the wireless connection, and turn the computer off — encryption ransomware will search your network for encryptable files on mapped drives, including file servers
  2. Check files on network drives to see if you can open them — if not, immediately begin the recovery process from a backup prior to the encryption
  3. If no backup exists, you will have to pay the ransom if you need the files — the instructions will be in documents left by the hackers on your computer
  4. Once your files have been recovered, start up the infected computer without connecting to your network and begin the process of erasing the hard drive and restoring it to factory condition
  5. After restoration, re-connect the computer to the network and be sure to install the latest updates for Windows, third-party applications, and anti-virus software
  6. Don’t open unsolicited file attachments — the most common access point for ransomware
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: