Ransomware – How to Defend Yourself?

1. Disconnect the Device from the Network

What to do: Disconnect the Ethernet cable or turn off Wi-Fi on the infected device. If the device is part of a corporate network, ensure the IT administrator isolates the infected network segment.

Why it matters: Ransomware can spread across the network to other computers, servers, or connected storage devices.

2. Do Not Pay the Attackers

Why not pay: Payment does not guarantee you will receive the decryption key. Supporting attackers is unethical and encourages further attacks.

What to do instead: Focus on options to recover data from your own backups or existing decryption tools.

3. Identify the Ransomware

How to identify: Look at the ransomware name in the ransom note (the instruction file created by attackers). Compare the extension of encrypted files with databases, e.g., on ID Ransomware.

Next steps: If the ransomware already has a known solution, use available decryption tools from the No More Ransom website.

4. Check Your Backups

What to check: Are backups current and uninfected? Are they stored offline (e.g., on an external drive or tape unit)?

Recovery: If backups are safe, wipe the infected system completely and restore data from backups.

5. Scan and Remove Malware

How to proceed: Boot the system in Safe Mode to minimize malware activity. Use tools like Malwarebytes, Emsisoft Emergency Kit, or Kaspersky Virus Removal Tool.

Procedure: After cleaning the device, restore the system from a clean backup or reinstall it.

6. System Recovery

If you don't have backups: Forensic tools exist that can partially recover data, e.g., Recuva, Disk Drill, or R-Studio. Results are not guaranteed, but it's worth trying.

Clean install: If encryption is irreversible and you don't have backups, reinstall the system. Check and safely save license keys and installation files beforehand.

7. Inform Experts

Contact points:

• Police: Report the attack to the cybercrime department.
• Security companies: Companies like ESET, AVAST can offer professional assistance.

What to prepare: A description of the incident (when and how the attack occurred). A sample of the encrypted file and ransom note (without activating malicious content).

8. Preventing Future Attacks

Backups: Use regular offline backups. The 3-2-1 method is recommended:

• 3 copies of data
• 2 different storage types (e.g., disk and cloud)
• 1 copy offline (disconnected from the network)

Training: Teach employees to recognize phishing and untrustworthy attachments. Avoid suspicious emails with links or attachments.

System protection: Update your operating system and applications. Use firewalls and antivirus systems with threat detection features.