What you SHOULD do when you are infected by Ransomware

Let me start with what you shouldn’t do. For starters, you should not search the internet for a removal guide for specific ransomware.

If Ransomware encrypts your data, then you cannot recover this data by deploying malware removal tools. The only thing these tools can do is remove the payload used to install the ransomware on your computer.

Most websites are solely aimed at sharing a little bit of information about the ransomware infection and also offer a removal tool (for a fee) to remove the ransomware. Malware removal tools do not work, at least not to unlock and recover your encrypted data.

Also, what you should never do is restart the computer! The decryption key may be in the computer’s memory. During a computer reboot, this memory will be lost.

But what can you do? To be honest, not much. Retrieving encrypted data is often only possible by paying the cybercriminals. However, paying cybercriminals is not recommended.

In order to stop cybercrime with ransomware, it is important that you report the attack to your local police department.

Ransomware is being taken more and more seriously when reporting it to the police; by reporting it to the police, cybercriminals can be held responsible and the extent of the ransomware infections can be identified.

I have made a list of websites of local authorities per country.

United States, go to the On Guard Online website.
United Kingdom, go to the Action Fraud website.
Australia, go to the SCAMwatch website.
Canada, go to the Canadian Anti-Fraud Centre.
Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
Netherlands, go to the Politie NL website.
New Zealand, go to the Consumer Affairs Scams website.
France, go to the Agence nationale de la sécurité des systèmes d’information.
Ireland, go to the An Garda Síochána website.

It may seem useless to report it, but it helps in the fight against ransomware.

The next thing you can do is to check if there is a decryption tool available on the website nomoreransom.org. Nomoreransom tracks ransomware infections and makes a tool available for some ransomware infections to unlock the data without paying.

Nomoreransom.org only has tools available for which the decryption key is available offline. Most ransomware has a server-side key, and that does not allow data decryption.

Make sure you have a backup. If you have a backup of Windows, a full backup needs to be restored.

If you only have a backup of specific files, make sure that the Ransomware payload is removed before you restore the files.

You can search for online services that can be found on the Internet for this purpose.

If you are affected by Ransomware, and you have a company, please call in external help from a competent company and do not use removal tools yourself.

As a private individual, you can use Malwarebytes, a malware removal tool that is free to use for 14 days and does not need to be purchased right away. Malwarebytes checks your computer for ransomware and removes the source file.

Make sure that the ransomware source (a file) is removed before you restore data using external backups.

Another simple trick I have seen work is to ask the cybercriminals for the key. Tell them you are poor and in need of the key. Sometimes cyber criminals fall for this technique, I have seen it happen a few times, worth the try!