Ransomware - What to Do When Your Data Is Encrypted?

You turn on your computer and see a message: "Your files have been encrypted. Pay $5000 in Bitcoin to recover them." What now?

Don't panic. This article will guide you through the proper response to a ransomware attack.

First 15 Minutes - What to Do Immediately

1. Disconnect from Network

This is the most important step. Ransomware often spreads to other devices on the network.

• Unplug the network cable
• Turn off WiFi
• Disconnect external drives (if not already encrypted)

2. DON'T Turn Off the Computer

Counterintuitively - leave the computer on. RAM memory may contain encryption keys needed for data recovery.

3. Take a Photo of the Screen

Photograph the ransomware message with your phone. It will be needed for:

• Identifying the type of ransomware
• Police report
• Contact with specialists

4. Note the Encrypted File Extension

Check what the encrypted files are named (e.g., .locky, .crypted, .encrypted). This helps identify the ransomware type.

What Absolutely NOT to Do

DON'T Pay the Ransom

• No guarantee you'll get the key
• You're funding criminals
• You might become a "regular customer"
• In ~30% of cases data isn't decrypted despite payment

DON'T Try to Remove Ransomware Yourself

Without knowledge you might:

• Destroy keys in memory
• Delete files needed for recovery
• Trigger additional encryption

DON'T Format the Drive

That's a last resort. First check if data can be recovered.

How to Identify Ransomware

Identification Tools:

1. ID Ransomware (id-ransomware.malwarehunterteam.com) - upload an encrypted file
2. No More Ransom (nomoreransom.org) - Europol project with free decryptors

Why Is This Important?

For many types of ransomware, free decryption tools exist. Criminals make mistakes, keys leak, authorities seize servers.

Data Recovery Options

1. Check Backup

Do you have a backup? That's the best option:

• Cloud backup (if not connected during attack)
• External drive disconnected from computer
• Backup on another device

2. Shadow Copies (Windows)

Windows sometimes keeps previous file versions:

• Right-click folder → Properties → Previous Versions
• Use ShadowExplorer tool

Note: many ransomware delete shadow copies, but worth checking.

3. Free Decryptors

Check No More Ransom - they have decryptors for 150+ types of ransomware.

4. Professional Recovery

If data is critical - contact specialists. Sometimes it's possible to:

• Recover data from damaged sectors
• Find encryption vulnerabilities
• Use forensic techniques

Reporting the Incident

Report to Local Authorities

• Contact your local cybersecurity agency
• They'll help identify the ransomware
• They'll warn others

File a Police Report

• It's a crime
• Even if they don't catch the perpetrators - statistics help fight cybercrime

How to Protect Yourself in the Future

3-2-1 Rule

• 3 copies of data
• 2 different media types
• 1 copy offline (disconnected from network)

Updates

90% of attacks exploit known vulnerabilities. Update:

• Operating system
• Browser
• Office software

Training

Most ransomware arrives through:

• Email attachments
• Fake websites
• Pirated software

For Businesses - Additional Steps

Response Plan

Prepare in advance:

• Who makes decisions?
• Who contacts IT?
• How to communicate with clients?

Network Segmentation

Separate critical systems from the rest of the network - limits spread.

Backup Testing

Regularly test if backup works and if data can be restored from it.

Summary

A ransomware attack is a stressful situation, but not hopeless:

1. Disconnect from network - immediately
2. Don't pay - look for alternatives
3. Identify - there might be a free decryptor
4. Check backup - best option
5. Report - help others

The best defense is prevention: backup, updates, caution.

---

Victim of ransomware? Contact us - we'll help assess the situation and plan data recovery.