Your computer has been infected by ransomware. All those files -- personal documents, images, videos, and audio files -- are locked up and out of your reach.
There may be a way to get those files back without paying a ransom. But first a couple of basic questions:
- Do you you have complete backups? If so, recovery is simply a matter of wiping the machine -- bye bye, ransomware! -- reinstalling your applications, and restoring the data files. It's a little stressful, but doable.
- Are they good backups? Even if you did the right thing, backups aren’t foolproof, as legions of traumatized users have discovered. Unfortunately, this may be hard to determine without a full restore, so be aware that the wipe-and-restore method carries some risk.
If you answered no to either question, don’t throw in the towel and pay the ransom yet. Maybe -- maybe -- there's a decryption tool that can get you out of this jam. But before we examine that option, let's run through what you should do step by step.
1. Isolate the infection
The first step, once you've been infected, is to immediately disconnect the infected computer from the network. Turn off wireless networking and Bluetooth. Disconnect from all peripherals, cloud services, and external hard drives. This ensures the infection can’t spread -- and prevents the malware from communicating with the mothership. It buys some time, and when the ransom note threatens to increase the payment if you take too long, every second is precious.
Remember the clock is ticking. The bad guys will carry out their threats if you take too long: Jigsaw deletes your files every hour you don't pay, and CryptoLocker used to increase the ransom amount if you didn’t pay within the imposed time limit.
2. Learn the malware’s true name
Knowing which ransomware variant you are dealing with can be tricky. There are nearly 70 families of ransomware, with some variants inconsistent with earlier versions. In some cases, as with TeslaCrypt, the message saying your files have been encrypted proudly includes the ransomware name. Reputation matters, because victims are more likely to pay up if they know that other victims successfully got access to their files after paying the ransom.
Nonetheless, some ransomware seems to prefer anonymity. CryptoLocker was a big problem during its heyday because its dialog box simply warned that files have been encrypted. Some use a specific file extension. An example is Locky, which got its name because encrypted files featured the .locky file extension. If you still can't make a positive ID, try searching the Internet for the bitcoin payment address or the actual ransom message to discover which ransomware family infected the files.
Sign up for Computerworld eNewsletters.