Experts: Don't reboot your computer after you've been infected with ransomware

[steven36]

Rebooting may lead to restarting a crashed file-encryption process, potential loss of encryption keys stored in-memory

 

 

Security experts don't recommend that users reboot their computers after suffering a ransomware infection, as this could help the malware in certain circumstances.

 

Instead, experts recommend that victims power down the computer, disconnect it from their network, and reach out to a professional IT support firm.

 

Experts are recommending against PC reboots because a recent survey of 1,180 US adults who fell victim to ransomware in the past years has shown that almost 30% of victims chose to reboot their computers as a way to deal with the infection.

 

Image: Simoiu et al.

 

 

But while rebooting in safe mode is a good way of removing older screenlocker types of ransomware, it is not recommended when dealing with modern ransomware versions that encrypt files.

 

"Generally, the [ransomware] executable that actually encrypts your data is designed to crawl through attached, mapped and mounted drives to a given machine. Sometimes it trips, or is blocked by a permission issue and will stop encrypting," Bill Siegel, CEO & Co-Founder of Coveware, a company that provides ransomware data recovery services told ZDNet in an email this week.

 

"If you reboot the machine, it will start back up and try to finish the job," Siegel said.

 

"A partially encrypted machine is only partially encrypted due to some fortunate error or issue, so victims should take advantage and NOT let the malware finish its job...don't reboot!"

 

Siegel told ZDNet the advice applies to both enterprise and home users alike.

 

Further, ransomware victims should also take note that there are two stages of a ransomware recovery process they have to go through.

 

The first is finding the ransomware's artifacts -- such as processes and boot persistence mechanisms -- and removing them from an infected host.

 

Second is restoring the data if a backup mechanism is available.

 

Siegel warns that when companies miss or skip on the first step, rebooting the computer often restarts the ransomware's process and ends up encrypting the recently-restored files, meaning victims will have to restart the data recovery process from scratch.

 

In the case of enterprises, this increases downtime and costs the company operating profits.

 

To learn more about dealing with ransomware attacks, you can check out the Emsisoft guide on how to remove ransomware and Coveware's first response guide on dealing with a ransomware attack.

 

Source

[frankl1n]

19 minutes ago, steven36 said:

Security experts don't recommend that users reboot their computers after suffering a ransomware infection, as this could help the malware in certain circumstances.

should be a no brainer

 

@steven36 hello m8, the above comment is not directed toward you sir. Only at the source.

 

[steven36]

7 minutes ago, frankl1n said:

should be a no brainer

should of , could of,  would of , don't count

31 minutes ago, steven36 said:

Experts are recommending against PC reboots because a recent survey of 1,180 US adults who fell victim to ransomware in the past years has shown that almost 30% of victims chose to reboot their computers as a way to deal with the infection.

when 30%  of users reboot that were interviewed  shows not everyone knows not to reboot so they need told .

 

I never had to cross that bridge to begin with , knock on wood i never been infected  by ransomware

[zanderthunder]

You know it looks confusing when one "security expert" tells to reboot their PC, and another "security expert" tells to shutdown their PC when it comes to ransomware infection.

 

So I have doubts on their "security expert" title.

[frankl1n]

Changes made to an OS are usually not fully implemented until one reboots their box, so yes to me it is a no brainer...never reboot a compromised machine...unless maybe it is to be booted up using your backup that was made to an external source of some kind.

[Marcus Thunder]

On 11/5/2019 at 9:47 PM, steven36 said:

But while rebooting in safe mode is a good way of removing older screenlocker types of ransomware, it is not recommended when dealing with modern ransomware versions that encrypt files.

The older screenlocker types of ransomware that do not encrypt any data are called SCAREWARE, they manage to put you in a fullscreen browser and lockdown your tabs in your browser and manage to keep itself always above other apps or tabs... If you do not know task manager or browser's task manager keyboard shortcut you have got no option except restarting. Usually you get these when you don't update your browser regularly or when you're asked to disable adblocking. if you disable adblocking you can get more than just this if ads managed to trick you into accepting or clicking their stuff. I usually go monkey style in these situations clicking ESC repeatedly on pop ups and unders. I got a fullscreen locker in a phony tricky youtube video once that prevented video from ESC to normal view.

 

Guess what, I found a thread that was talking about just that: