We have talked about preventing ransomware. Security software should be placed at various levels in order to combat modern threats. Network security software, such as IPS, IDS, and firewalls, are as equally important as desktop security software, such as antivirus. Also, all kinds of software used in an organization should be patched on time. At the same time, physical security also plays an important role. Where critical devices such as servers are isolated physically, there can be a lapse in security measures.
Screen locker ransomware is easier to deal with; most of them can be bypassed by preventing them from booting up during the Windows boot. Most of the time, removal of run entries may help. We have talked about this in Chapter 4, Ransomware Techniques of Hijacking the System.
Crypto ransomware is the trickiest one to deal with. The hijacked files cannot be retrieved unless you get the key to decrypt the encrypted files. The key lies with the hacker.
Paying the ransom and getting the decryption key is a quick and easy option, but also an expensive one. The victim may be in a dilemma as to whether to pay the ransom or not. After all, the extortionists are also criminals and cannot be trusted. They may not provide the decryption key even after the victim has payed the ransom. Also, there could be cases where the encryption-decryption implementation may be buggy and the key provided by them fails to decrypt the encrypted files. In our opinion, paying the ransom should be the last option.
Here are some key steps that the victim should take before thinking of paying the ransom:
- Isolate the infected machine.
- Notify law authorities.
- Contact the AV vendor and ask them for a response.
- Seek help on the internet.
- Carry out forensics.
Here are some details about these procedures.