What You Need to Do in a Ransomware Attack

Ransomware attacks occur so frequently that experts call them the fastest-growing cyber-security crime. Reports of the incidents, which involve a hacker employing malware to hold a victim’s data for ransom, were up 64% in 2021 over the same period a year earlier — to the point where they take place every 11 seconds. Criminals can now buy pre-packaged tools that allow them to attack, so even amateurs can carry out significant infections. Hacker groups attack organizations most often, especially critical services such as manufacturing and health care, and companies from Coca-Cola to the American Dental Association have fallen victim. But individuals can also be on the receiving end, often through email phishing attempts. Before you find yourself among the victims, take stock of what you need to do in a ransomware attack.

Related: Watch Out for These Scams Targeting Seniors

Take pictures of the ransomware page and the address the funds are meant to be sent to, advises Chris Pierson, CEO of BlackCloak, a concierge cybersecurity and privacy platform. After you report the infection to the FBI Internet Crime Complaint Center, the information will be essential to provide to the authorities. 

Related: 10 Ways to Protect Your Identity and Data Online

It may be difficult to know where a ransomware attack began. If you suspect a source, find, isolate, and save the email link, or document that may have caused the attack.

Related: Signs You're Getting Scammed While Shopping Online

Prevent the malware from spreading to other devices. If the computer is hardwired to the network or internet, unplug it. It’s more complicated if you’re using a Wi-Fi connection: If you’re not able to disable the Wi-Fi connection on the device, use another device to log into the router and block the infected device from accessing it. (You may need help from your provider, which could be your cable or phone company.) “Unfortunately, ransomware has the possibility to stay dormant in a device before it is activated, so take extra precaution,” says Peter Robert, CEO and co-founder of cybersecurity and information technology firm Expert Computer Solutions. “If you discover one of your home devices is infected with ransomware, assume all the others are as well until you get more information.”

For more great consumer-protection tips, please sign up for our free newsletters.

You have a difficult decision to make: Lose your data (if you don’t have a backup), have a cybersecurity professional try a data recovery, or pay the ransom. The ransom will almost certainly be demanded in cryptocurrency rather than the dollars in your bank account. You may have to get up to speed on cryptocurrencies quickly.

“Double extortion” attacks amplify the dilemma. In these, hackers steal sensitive data before encrypting your devices. The hackers can then threaten to expose this data if the ransom isn’t paid. “The hacker may get ahold of sensitive personal information such as your tax record, legal documents, medical records, photos, or other files you would not want to have publicly released,” Pierson says. “There is not a lot the individual can do.” The only option available may be to pay the ransom.

Related: Things You Wanted to Know About Cryptocurrencies but Were Afraid to Ask

If you decide to seek the help of a cybersecurity professional to try to recover your data, be warned: “It can be expensive, and there is no guarantee that any of your data will be recoverable,” Pierson says. The cybersecurity professional may be able to identify the type of malware used and track down a decrypter, which is a kind of antidote. “In some cases, certain persons may have personal cybersecurity insurance that allows for loss recovery after a ransomware event, and you will want to follow the guidance of your insurance professional,” Pierson says.

If you decide to pay the ransom, expect to pay handsomely. Ransoms have increased 82% since 2020, according to Panda Security, and the average fee grew to $570,000 in the first half of 2021. (That amount was usually asked of companies, not individuals, though.) Pierson recommends seeking technical help or enlisting a “carveout” (i.e., someone other than yourself) to communicate with the cybercriminals using a fake email address — but warns that this may not be the end. “It’s important for people to realize that even if you pay the ransom, the hacker may not send you a decryption key, and, even if they do, they may just turn around and attack you again because they know you will pay,” Pierson says.

Once a computer is infected, it must be wiped fully — all information deleted beyond recovery — to remove the malware. If that doesn’t provide enough peace of mind, you’ll need to replace the hard drive or buy a new device.

The biggest mistakes people make come before the infection: “They do not use anti-malware software. They have not verified their home network is secure — the Wi-Fi router too. And they do not have a reliable backup for their documents or other important personal digital items which are easily accessible,” Pierson says. Each will help prevent malware or make recovering from the infection much easier.

Ransomware encrypts your data and denies you access. It also steals the information, which is why you’ll need to monitor for identity theft and fraud after an attack. “You should immediately change all of your account and device passwords,” Pierson recommends, along with a few other steps: re-securing your Wi-Fi router, adding a strong password and making sure the firmware is always kept up to date; adding dual-factor authentication to all of your accounts; and contacting your financial institution and mobile carrier to add additional protections to your accounts, such as security PINs and account change notifications.

Related: Identity Theft Horror Stories