Other issues in this category (23)
Encryption ransomware lessons. There is no room for haste
Friday, June 30, 2017
Encryption ransomware makers carefully examine the reviews of security experts, as well as security standards, and continuously perfect their "creations".
For example, here is a quotation from a malware incident investigation guide:
- Under no circumstances should a computer undergoing examination be used—it is the object of an investigation.
- A computer shouldn't even be powered on prior to being handed over to investigators. No tasks whatsoever should be performed on a seized computer without taking the required precautions (e.g., create a backup or make sure that no files can be modified).
- The system must not be booted up using the installed operating system.
Powering up the computer may result in the destruction of the data on its hard drive.
Pulling the plug is another appropriate step following the discovery of an infection. The reason is simple: a "smart" Trojan can detect when a computer is being powered up or shut down and make sure that its own routines are executed when those events occur.
Our office was also affected just as many others were.
When we first booted up from LiveCD, we were able to access the files, but they all turned out to be encrypted. We then ran several standard scripts to make the system bootable. The system restarted, a disk check was initiated, and after that we lost access to the disks and data.
The Anti-virus Times recommends
- Haste is only good for catching fleas. Actions are most effective when performed calmly and methodically and after taking time out for coffee or tea.
- Hasty actions aimed at recovering data tend to result in lost traces of infection or even a complete loss of encrypted data.
- If your system gets infected, contact your anti-virus company’s technical support service, provide all the necessary information, wait for a reply, and follow their instructions.