…and the 3 steps you need to take next
By Amy Bennet
The word ransomware conjures images of kidnappers and ransom notes. But that doesn’t quite capture the reality of PC ransomware. In fact, “it’s not always obvious when ransomware is the problem,” says Mike Cobb, director of engineering at data recovery and digital forensics firm DriveSavers.
For example, when ransomware affects a server and the storage connected to it, “the remote user trying to access the shared volume will not have seen the ransom note and the files will no longer open up properly. It will look like corruption to the users and until the system admin looks at the server to see the ransom note all users can be chasing their tails.”
[ Also on CSO: How to respond to ransomware threats ] If you think you might be a victim of ransomware, here are the signs Cobb says you should look for:
1. A splash screen blocks access
The most obvious sign that you’re infected with ransomware is a splash screen upon startup that prevents you from using the computer and provides instructions on how to pay the ransom to restore access.
If you encounter a screen like this, you’re likely a victim of lock screen ransomware.
2. Files that won’t open
If you are unable to open individual files on your machine and get an error message like one of these, you might be a victim of encryption ransomware:
Windows: “Windows can’t open this file… To open this file, Windows needs to know what program you want to use to open it. Windows can go online to look it up automatically, or you can manually select from a list of programs that are installed on your computer.”
Mac: “There is no application set to open the document… Search the App Store for an application that can open this document, or choose an existing application on your computer.”
3. Odd or missing file extensions
Those letters after the dot at the end of a file name are the file extension. They let your computer know what type of file it needs to read. Common file extensions include .doc, .exe, .pdf and .jpeg.
Files encrypted by ransomware often have extensions that end with something like .crypted or .cryptor. Many times, these files are missing file extensions altogether. In all of these instances, the Finder will display a blank icon for the file type.
4. You’ve received instructions for paying the ransom
If your computer has been infected with ransomware, the hacker responsible will have left payment instructions for you. Remember, the hacker wants you to read these files because their ultimate goal is to get paid, so the files should be somewhat easy for you to find.
Look for .txt or .html files that begin with an underscore (_) followed by clear language in all caps, such as “_OPEN ME”, “_DECRYPT YOUR FILES” or “_YOUR FILES HAVE BEEN ENCRYPTED.” There will be at least one instruction file located in every folder that contains data that has been encrypted by the ransomware.
I’ve got ransomware. Now what do I do?
Cobb emphasizes that you shouldn’t open the instruction files unless you intend to pay the ransom. But the question of whether or not to pay is itself controversial.
Many experts say this should be a last resort, while others, like, Trend Micro’s Christopher Budd say you should never pay a ransom. “Remember, you’re dealing with criminals,” writes Budd in a blog post. “There’s no guarantee you’ll actually get all your files back.”
Here are the three steps Budd says you should follow instead of paying the ransom:
- Turn off your computer and disconnect it from the internet.
- Restore from backup if you’ve got one.
- If that doesn’t work, you can visit Trend Micro’s ransomware resource page for additional help.