So you've been infected by malicious software, or malware. How do you know you know? It's not always obvious. Your computer might simply be sluggish. Or you might be blocked from getting online. Or the machine might not even boot up.
First, determine if the attack is a specific kind malware known as ransomware. That's pretty easy. If your machine is essentially crippled, but for a message that demands payment in order to go on, that's ransomware. We have a separate set of instructions for that. Sadly, ransomware victims have fewer options for recovery.
If you are in the middle of another kind of malware attack, here are the steps to take now.
Virus Infection Recovery
- Stop what you are doing immediately and disconnect your machine from the network. This includes printers, and perhaps other peripherals, with wired or wireless connections.
- Close all programs. Whatever you do, don't do anything that causes you to enter usernames or passwords, or even visit sites where those might be preloaded.
- A helpful point from Haber: if you need Internet access to get help, power off other devices on your network first to prevent a potential "lateral movement infection." Many malicious programs will attempt to spread across local networks.
- Don't go online and search wildly for help. The Internet is full of websites offering to help with specific malware problems which are themselves booby-trapped. If you try to download a software fix, or go looking for helpful instructions, be very careful about the site you pick. Only trust names you know.
- If you can, visit your antivirus vendor's site and make sure your software it is up to date, including the latest malware "definition file." Then run a scan.
- If that fixes your computer, lucky you. If not, you'll have to take additional steps. The malware might be interfering with your antivirus software. On a Windows PC or a Mac, that might mean you have to boot up in Safe Mode and try the antivirus scan again. It's possible to operate in Safe Mode but still download antivirus updates.
- If that doesn't work, you might have to restart using a "boot disc" from a USB drive. You might have to download the software using a separate computer, load it onto a USB stick, and then insert it into the infected machine. Here's one free bootable recovery tool from Symantec.
- Finally, if none of those steps work, you might need to start over with your backups. Reinstall the operating system and restore your data. IMPORTANT: Don't restore the applications; they might be infected.
Ransomware Infection Recovery
How do you know you are infected by ransomware? It's usually pretty simple. Your computer will be disabled, your files scrambled via encryption, and there will be a message demanding that you pay a ransom fee in order to obtain the encryption key.
Sadly, if you are infected with ransomware, the steps to take are a bit shorter; there are often fewer possibilities for recovery. Unless a vendor has reputable written a decryption tool for the particular kind of ransomware infection you've suffered—which is possible, here's a list from Kaspersky—your data most likely cannot be recovered without the encryption key. Here are the steps to follow:
- Disconnect the machine from the network
- Do not pay the ransom, the FBI says. There's no way to know if the criminals will really cough up a working decryption key after payment. And payment just give financial support to criminal enterprises that will probably help them attack other people and institutions.
- Start from scratch—reload your operating system, reload your applications, and restore your files from backups. What? You don't have a backup? Re-read the top of this story. Perhaps there's a decryption tool. Check again. Otherwise, there's little hope.
- Consider contacting law enforcement if the infection causes serious financial harm to you or your business.
What to Do After a Malware Attack
If you have just endured a malware attack and survived, now is not the time to pat yourself on the back or point fingers. Now is the time to start planning for the next one, which is also inevitable. First, make sure your operating system is up to date and has all security patches installed. Run Windows update, visit the Apple App store, or other operating system distributor, as needed.
Second, have a quick post-mortem, even if it's just with yourself. How easy was it to restore from backup? Are you sure everything that was "lost' has been found or recovered? Were you happy with the operating system reinstallation process? With the antivirus software? Did you or someone else who had access to your machine (your kids?) do something unwise to cause the infection? Adjust accordingly, including talking to your kids.
Finally, consider backing up your files more frequently. It's rare that malware attack victims escape completely unscathed. The more frequent your backups, the less you'll lose when it's your turn. Did I mention how important it is to backup your files?