Ransomware is one of the most pervasive cyber threats, typically targeting private sector organisations that rely on computer systems to operate. Files and electronic devices are encrypted rendering them inaccessible unless a ransom is paid, often in the form of untraceable cryptocurrencies such as Bitcoin.
The Australian Cyber Security Centre (ACSC) provides a guide to identifying, removing, and protecting yourself against ransomware.
Should I pay the ransom?
A critical question that will arise if you are the victim of a ransomware attack is whether you should pay the ransom to recover your data.
The official advice from the ACSC is to never pay a ransom. There is no guarantee you will regain access to your information, and you may also be targeted by another attack.
Guide to handling a ransomware attack
There are seven key steps in responding to a ransomware attack. Steps one to six involve identifying the ransomware and stopping it from spreading, while step seven covers actions to take to avoid another ransomware attack.
Step 1: Disconnect your devices
This step involves removing network and data cables, USBs and dongles, and disabling wireless connections such as Wi-Fi, cellular data and Bluetooth. This will help to disrupt the communication of the ransomware and limit its spread to other devices.
Step 2: Stop the ransomware
First, take photos of key details such as the ransom note, web links, emails, or Bitcoin addresses, with an unaffected mobile device or camera.
If you have an Apple device or if your device is not responding, hold down the power button to turn it off.
If you have a Microsoft Windows 10 device, follow the Terminate ransomware programs with Task Manager (for Windows 10) guide to identify and force quit suspicious programs.
Step 3: Run a malware scan
You may have malware removal included as part of a paid antivirus software, or have a built-in malware scanner for your system, such as Microsoft Defender Antivirus for Microsoft Windows 10.
Find your scanning tool, then launch a malware scan and delete any malware identified. During the scan, take photos or notes of any suspicious programs, files, pop-ups, and other key details you encounter while running the malware scan.
If you don’t know where to start, simply search your computer for key terms such as “Microsoft Defender” or “Antivirus”. A step-by-step guide to performing a malware scan is available for Microsoft Defender Antivirus.
Step 4: Write down key details
Take note of the date and time of the attack, file details, and affected devices. Note what you were doing immediately before the first signs of ransomware. Also, note the time you disconnected your device, and record other actions you have taken to manage the attack.
This will complement other details you have already recorded such as photos of the ransom note or link, and will help you to seek professional help, report the incident, make claims, and inform key stakeholders.
Step 5: Get professional help
Find an IT professional with experience in handling ransomware attacks, providing them with the details from step 4. A professional will be able to assist you with:
- Backing up your data:
- Advise if you have an existing, unaffected backup of your files, and work with the professional to restore your files from backup.
- If you don’t have an unaffected backup, the professional can back up the encrypted files, and search for a decryption tool.
- Ensuring the malware is removed.
- Reconnecting unaffected devices to the internet and updating your operating system and software.
Step 6: Notify and report
Using your notes from step 4:
- Contact your legal provider to assist you in contacting your customers, clients, and suppliers.
- Contact anyone affected by the compromise including staff, colleagues, family, and friends.
- Report the incident to ReportCyber.
- If required under law, report any data breach to the Office of the Australian Information Commissioner.
- If you think your bank account or credit card details are at risk, contact your financial institution. They may be able to stop a transaction or disable your account.
Step 7: Protect yourself from future ransomware attacks
This step involves taking steps such as:
- Updating your device and turning on automatic updates.
- Enabling multi-factor authentication.
- Performing regular backups.
- Controlling who can access what on your devices.
- Turning on ransomware protection.
- Completing the Cyber security emergency plan.
If you are the victim of a ransomware attack, the advice from the ACSC is that you should not pay the ransom. Rather, you should follow the steps outlined above to identify the ransomware and stop it from spreading, and to avoid future attacks. You also have responsibilities to inform key stakeholders, and there may be reporting requirements under law, especially if your business holds sensitive information.