RANSOMWARE VICTIM?

If you are the victim of a ransomware attack than it is important to know that there are 2 stages:

Stage 1: the attack is happening at this very moment

If the attack is taking place at this moment than you should consider turning all computers off asap and not turn them back on before the problem is fixed.

Remember that if you have a network, this network may even extend to other offices or even other offices in other countries and all the computers on all these linked networks may be under attack.

If Honey jar trap reported that a trap has sprung than this only means that at least one file (that is a trap) has been altered or deleted. This could indicate a ransomware attack, but it can be a regular virus or a PC user that by accident altered (or deleted) this file. So before you turn down your entire network you might check this. If in a short timeframe multiple PC’s using Honey jar trap, report a sprung trap than this would definately indicate a ransomware attack in progress.

For network administrators:

If you are not using Honey jar trap software, it is good to know that most ransomware attack happen when a certain day starts. So people come to work and turn their computer on (if all computers are left on during the night than probably the damage is already done) and within one or two hours people will start reporting that they cannot access certain files. The number of people that report this problem will grow rapidly. So when you find yourself, as an administrator, in this position, it might be wise to turn of all computers asap (pulling the power cord is the fatest way).

If you have a network spread over multiple time zones, than you can warn other time zones that they should not turn on their computers.

How can you be sure that the problem you are facing is a ransomware attack if you turned all computers off before the ransomware message appears. For this you will need a computer of which you are sure that it is not infected, so a computer that has never (or at least for a very long time) been connected to your network.

You could take out the drive of the possibly infected computer. Using a USB device you connect this drive to this uninfected computer. And now you should make an image of this possibly infected drive. Take a new drive of the same specs and put it in the USB device and restore that image to this new drive. You can put this new image back in the computer and turn it on and see what happens. If more and more files become inaccessible and some time later you get a ransomware message than you know for a fact that you have been targeted, but all files that still where accessible on the infected computer are still accessible on the old drive.

Stage 2: The damage is done and the attack has encrypted all your user files

If the damage is done you basically have three options:

– Contact https://www.nomoreransom.org this organisation keeps track of many ransomware attacks and they might have a solution or even a key

– Pay the ransome money and hope that you will get a key to restore your files

– Format your drives, install all software and restore all backups you have (making sure you do not restore the ransomware virus itself)