Your initial reaction after suffering a ransomware infection might be to reboot your computer, however, you may not want to do this as it could help the malware in certain circumstances.
Instead of rebooting your computer, we recommend the following steps: hibernate the computer, disconnect it from the network, and reach out to us ASAP.
Powering down the computer can also be an alternative, however, hibernating is better because it saves a copy of the memory, where some shoddy ransomware strains may sometimes leave copies of their encryption keys.
A recent survey of 1,180 US adults who fell victim to ransomware in past years has shown that almost 30% of those victims chose to reboot their computers. While rebooting in safe mode is a good way of removing older screenlocker types of ransomware, it is not recommended when dealing with versions that encrypt files.
Ransomware that encrypts your data is designed to crawl through attached, mapped and mounted drives to a given machine. Sometimes it is blocked by a permission issue and will stop encrypting. If you reboot the machine, it will start back up and try to finish the job. Due to fortunate errors or issues, victims are able to take advantage of partially encrypted machines, and not let the malware finish its job by rebooting.
There are two stages of a ransomware recovery process that victims have to go through:
- Finding the ransomware’s artifacts, such as processes and boot persistence mechanisms, and removing them from an infected host.
- Restoring the data if a backup mechanism is available.
When a company misses the first step, rebooting the computer often restarts the ransomware’s process and ends up encrypting the recently-restored files, requiring victims to restart the data recovery process. In the case of enterprises, this increases downtime and costs the company operating profits.
Contact us today to learn more about dealing with ransomware attacks or to setup a proactive prevention plan.