What To Do If You Get CryptoLocker Ransomware Attacked

CryptoLocker ransomware attacks are scary. You’ll suddenly see a note appear on your computer screen stating that your computer is locked or files have been encrypted. 

First of all: don’t panic! Follow this 7-step guide after a ransomware attack.

Follow These 7 Steps If You Get CrypoLocker Ransomware

#1- Take a Picture of the Ransom With Your Cell Phone 

Get a picture of the ransom message so your insurance and IT Company can analyze it later.

#2 Unplug the Network Cable on the Machine With the Ransom Note

Let’s stop further access and cut off communication with the attackers for now. Unplug the network cable or turn the computer entirely off until experts can assess the situation without further damage to your environment. 

#3- Get Your Insurance Company on the Phone

Your business insurance company should have a department that specializes in ransomware. They’ll connect you with experts that deal with this all the time. Share the ransom note picture with them early so they can start understanding the nature of your infection. 

If you do not have the correct type of insurance that covers this, you’ll need to work closely with an IT Company and a law firm experienced with dealing with a live ransomware event.  

#4- Get Your IT Company on the Phone 

You typically have 4 options after a ransomware event:

  1. Restore from backup
  2. Hope there’s a free tool online that decrypts your specific type of ransom (rare)
  3. Deal with data loss and start over
  4. Pay the ransom, hope it decrypts

Get in touch with your IT company and figure out if you can restore from a backup. Your insurance company will talk to your IT company and assess all remediation options. Don’t let your IT company change anything until all evidence is collected and the lawyer explicitly requests an action be taken. 

If you do not have the correct type of insurance, you, your IT company, and your lawyer need to carefully assess all your remediation options.

#5- Assess the Backups With Your IT Company

If you have an insurance company leading the remediation effort, they’ll talk to your IT company about the backups early. 

Ideally, your IT Company is managing your backup system and: 

  1. Your backups include all the data that was encrypted
  2. They’re recent
  3. They’re not encrypted from this ransomware 

If your backups are a no-go, your insurance company will want samples of encrypted files sent to them to figure out which type of ransomware you have. If the backups can restore all the encrypted data back to normal, and they’re recent enough, you are in a good position. 

If you do not have the correct type of insurance, you, your IT company, and your lawyer need to assess your options based on the state of the backup.

#5- Assess Legal Ramifications

Ransomware events are typically kicked off by a malware infection. Sally at the front desk clicks on the wrong email and it kicks off a malware process without anyone knowing. How that exact ransomware is coded is a mystery, as it’s made by criminals. One possibility is the infection also opened a back door and some of your data was transferred to bad actors. This is called a breach, and it typically has legal ramifications.

Let your insurance company’s lawyer (or your lawyer if no insurance) and their IT expert figure out if there was a breach or not. It’s critical that you wait for the lawyer’s OK before your IT company collects any evidence on the attacked machine and/or data on the network.

#6- Recover
Once you’re cleared by the lawyers to begin remediation, several things can happen depending on the situation:

  1. You have good backups. You’ll clean out the ransomware infection, restore data, life goes on. 
  2. You have bad (or no) backups. 
    1. Your insurance company may negotiate with the criminals and attempt to decrypt the data. If it works, they’ll help facilitate the decryption. You’ll test that the data looks good. If so, your IT company will clean out the ransomware infection, and life goes on. It’s also possible the decryption fails, see below.
    2. Decryption is not possible and you’re starting from scratch. Not many businesses can survive a data reset. If you’re in a regulated industry, there will likely be legal consequences for losing protected information. 

#7- Prevent Future CryptoLocker Ransomware Attacks

Now that you’ve been through a CryptoLocker event, it’s time to focus on preventing a future attack. 

If you’re reading this and have not yet experienced a CryptoLocker event, start here.

Work with an IT company that deploys a thoroughly-vetted multi-layered security approach. Example of our approach: strong enterprise-grade anti-virus/anti-malware/anti-cryptolocker endpoint protection, next-gen unified threat management device (firewall), end-user training, inbound and outbound email filtering, and more. 

If you would like a quote or evaluation for IT services, don’t hesitate to reach out to PK Tech here: contact PK Tech. We provide support and services to support and protect your business.

About PK Tech