Of all the common PC security threats today, ransomware may be the most pernicious and painful for users. Not only can it lock up your device and prevent you from accessing your PC and data, but it can also send all your data to attackers over the internet and potentially give them access to your online accounts through the saved credentials in your browser.
CBS News just ran an excellent piece on Scattered Spider, a organized group of hackers that held Las Vegas casinos hostage, shutting down their hotels and gambling machines. Your PC is a less alluring target, but it’s still wise to prepare for the worst.
For victims of ransomware, the sudden sense of panic as the screen displays a message that the PC has been infected—and they must pay to regain control—typically turns to rage as they attempt to get to their files back and then realize the awful truth. If you’ve been hit ransomware, keep your cool and don’t send any money to the attackers.
In this guide, we’ll give you important tips to prevent a ransomware attack, and the tell you what to do if your PC is ever infected.
Further reading: PCWorld’s top picks for security software suites
How to prevent a ransomware attack
As I explained in my lexicon of security terms, ransomware is a type of malware that locks you out of your system with the intention of extorting money from you to liberate your machine and files. The best time to deal with a ransomware attack is before one even happens. Here are four things you can do to avoid being a victim in the first place, or be better prepared to quickly recover if you do end up falling prey.
1. Keep your data in the cloud
By keeping all your important data online instead of fully relying on local storage, you’ll be less vulnerable to losing anything you care about if your hard drive is ever maliciously encrypted (or simply fails). In my case, I’ve been using a redundant hybrid cloud setup for years because I switch computers frequently. Because all my photos and files are stored and backed up in a few places—both in my home and in the cloud—I have no trouble setting up a new PC and wiping an old one any time I feel like it.
2. Use a firewall
Modern Wi-Fi routers with robust firewalls can help take the sting out of phishing attacks and clicking bad links. This is especially important if you have kids or other users in the household who might be prone to clicking malicious links. Consider choosing a router with strong firewall features, such as the Orbi 970, which includes a BitDefender-backed security service that automatically detects known malicious sites and won’t let you load them in your browser.
Better yet, install a dedicated firewall appliance like the Firewalla Gold SE, which has excellent automatic threat detection, intrusion detection, ad blocking, and a host of other killer security features.
Jim Martin / Foundry
3. Keep your antivirus turned on and up-to-date
A basic antivirus is better than none at all, so long as you keep it updated. Whether you rely solely on the built-in Windows Security (here’s a full how-to on activating ransomware protection) or run something more robust, like Norton 360 Deluxe (PCWorld’s top pick), you have to ensure its updates run daily to stay fully protected.
4. Use a password manager and strong passwords
Any password that you can easily remember isn’t a strong password, and you should never use the same password on more than one site. To ensure all your passwords are robust and to make it easier to change them from time to time, use a password manager like Dashlane or Keeper.
This will save you a lot of headaches if you ever need to change all your passwords after an attack, and also keep your passwords encrypted so that attackers won’t be able to read them from your hard drive. (If you ever do get infected with ransomware, make your password manager the first account credential you update, since it has all your other credentials in it.)
How to survive a ransomware attack
1. Take a deep breath
Ransomware is so common because it’s an effective way for attackers to get money out of victims. The threat preys on a combination of weaknesses in both the PC’s security and the user’s emotions. Attackers are counting on you to lose your cool and pay up promptly. But don’t let your emotions get the best of you. Take a deep breath and find yourself a guide (like this one!) to lead you through next steps.
2. Don’t engage the attackers
Ransomware attacks are automated, meaning the humans behind the attack aren’t directly conscious of you or your PC. At the moment of the attack, you might be little more than a line-item in an activity log they haven’t looked at yet, so don’t raise your profile by calling any numbers displayed on the screen or otherwise interacting with the malware.
Don’t follow any links, email any addresses given to you, or pay any ransoms. Engaging with the attackers will only increase their focus on getting what they want from you, subjecting you to further risk, and paying the ransom is no guarantee that you’ll get your data back.
3. Disconnect your device from the internet
As quickly as you can, take your device offline to prevent it from sending your data to attackers or infecting other devices on your network. If you’re on an ethernet connection, simply disconnect the wire immediately. If you’re on your home Wi-Fi network, try disconnecting through your PC’s Wi-Fi settings or switch to airplane mode if you still have enough control of the PC to do that.
Whether that works or not, enter your router’s menu from another device and identify your PC on the clients list, then block that machine from accessing the network by accessing the Access Control or Blacklist menu (this may have a different but similar name on your home router).
Use your router’s Access Control menu to block your infected PC from rejoining your network until you’ve fully eliminated any ransomware.
Robert Strohmeyer/Foundry
4. If this is your work PC, notify your IT manager immediately
Consumers are not the ideal target of ransomware attacks, because they typically don’t have enough money to pay the really big ransoms and if their personal photos are backed up on another device, they might not care enough to pay the ransom. But if for some reason, your work computer has been attacked, contact the IT department. It has a vested interest in assisting you posthaste.
5. Change all your passwords
Some ransomware can capture and send your data to its controllers in an effort to steal useful financial information, website credentials, or other data that can be used to carry out further attacks or identity theft. So, now is the time to start changing your passwords on all your online accounts.
If you’re using a good password manager like Dashlane or Lastpass, that will help you automate the process a bit. If not, you’ll need to do it by logging into each account and manually changing your passwords. Prioritize your email account first, so it can’t be hijacked and used to worsen the attack on your data and identity. Then go to your financial accounts, your major cloud accounts such as Google and Apple, your ISP and mobile carrier, and then everything else in the long tail of websites you use.
Don’t forget to change your Wi-Fi password, too, for good measure. Literally any credential you’ve ever used on that PC needs to change because all of it is likely to end up on the dark web shortly after the attack.
A password manager like Dashlane makes it easier to protect your passwords if your system is compromised, and can automate changing passwords on all the sites you use.
PCWorld / Dashlane
6. Preserve evidence… or remove the PC’s drive… or attempt data recovery
Once you’ve isolated the PC from your network and the internet, there’s little the ransomware can do besides complete its encryption process on your hard drive. Malware experts generally agree that attempting to stop the encryption by shutting down the PC is risky, because it could render the entire drive unrecoverable. What you choose to do next depends on several factors.
Is it your personal PC or a work machine? Do you want to get law enforcement involved? Do you need to recover the data or can you live without it? Each of these questions will lead you down a different path.
If you’re using a work PC, you should have already contacted your IT department by this point, and you’ll follow their instructions for all next steps. They’ll almost certainly recommend changing all your passwords, just as we have here, but may also want you to do a few more steps related to filing incident reports and locking down access to company systems. Some companies will also require you to take some form of cybersecurity training before giving you back full access to their systems.
If your personal PC has been attacked, you may or may not want to get law enforcement involved. The FBI has a cybercrimes unit, and you can file a complaint with them at www.ic3.gov. If you do involve law enforcement, you’ll want to preserve as much evidence as possible, which may include turning over the affected hard drive so investigators can determine what type of malware was used and potentially identify the attackers. Whether or not all this hassle is worth your while is a matter of debate, but you may feel better knowing you’ve contributed to the cause of combatting this type of crime.
Whether or not you choose to involve law enforcement, decide how important it is to you to get your data back. If you hand over your hard drive as evidence, it may be a while before you see it again, so any data recovery effort should be made prior to giving the drive to the authorities. While there are ways to potentially decrypt the drive yourself, the risk that you’ll end up infecting the computer you use for the recovery process, or just wind up destroying the encrypted data in the process, is greater than the probability of successfully recovering the data without making things worse.
For this reason, I recommend contacting a data recovery service that specializes in ransomware recovery, such as OnTrack, for the best shot at getting the data back safely. Just be aware that specialty data recovery services aren’t cheap and may not even work, and in most cases you’ll have to pay for the service whether or not the recovery is successful.
If you’d rather save your money and move on, and don’t even care about getting the data back, your best bet is simply to remove and store the infected hard drive in a closet in case you later opt for recovery services. The cost of hard drives is now so low that there’s little reason to prioritize salvaging a hard drive over establishing total certainty that the malware does not survive to reinfect your PC.
Now, if you don’t intend to recover the data, simply destroy the physical hard drive by taking it down to your local shredder service. If you can’t afford to replace the hard drive, at least be sure to fully repartition it so that the Master Boot Record and all existing partitions are completely erased and there’s no place left for the malware to hide. With a fresh drive installed, re-install Windows and restore whatever backups you have on hand, then move on with your life.