Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT Technology

Don't Reboot Your Computer After You've Been Infected With Ransomware, Experts Say (zdnet.com) 56

Security experts don't recommend that users reboot their computers after suffering a ransomware infection, as this could help the malware in certain circumstances. From a report: Instead, experts recommend that victims power down the computer, disconnect it from their network, and reach out to a professional IT support firm. Experts are recommending against PC reboots because a recent survey of 1,180 US adults who fell victim to ransomware in the past years has shown that almost 30% of victims chose to reboot their computers as a way to deal with the infection. But while rebooting in safe mode is a good way of removing older screenlocker types of ransomware, it is not recommended when dealing with modern ransomware versions that encrypt files.

"Generally, the [ransomware] executable that actually encrypts your data is designed to crawl through attached, mapped and mounted drives to a given machine. Sometimes it trips, or is blocked by a permission issue and will stop encrypting," Bill Siegel, CEO & Co-Founder of Coveware, a company that provides ransomware data recovery services told ZDNet in an email this week. "If you reboot the machine, it will start back up and try to finish the job," Siegel said.

This discussion has been archived. No new comments can be posted.

Don't Reboot Your Computer After You've Been Infected With Ransomware, Experts Say

Comments Filter:
  • at no point did it explain how any additional damage comes from rebooting. "It will attempt to keep going" ... yeah... just like it does when it's normally running.

    • Re:at no point (Score:4, Informative)

      by Ryzilynt ( 3492885 ) on Tuesday November 05, 2019 @12:07PM (#59383736)

      at no point did it explain how any additional damage comes from rebooting. "It will attempt to keep going" ... yeah... just like it does when it's normally running.

      The full article has more information than the summary. And it also links to some guides.

    • Rebooting used to be the standard advice for malware, but these things now run in Safe Mode and as auto-StartUp items, so basically rebooting is SOL for ransomware.

      • by Moryath ( 553296 )
        Everything you used to think was the correct course of action is wrong. Unless it was wrong before. Or unless you mis-diagnose what's going on. Or you correctly diagnose the symptoms but it's new malware that does different things while looking the same.

        .... you know what, you're fucked no matter what you do.
      • by Jaime2 ( 824950 )
        Yup, the Die Hard syndrome. Once the containment steps are committed to a document and shared, the adversary will change their attack to make your documented procedure work against you. Bruce Willis taught as all this lesson in 1988.
    • by Dunbal ( 464142 ) *
      Let's face it if you're dumb enough to be infected with ransomware, you're too dumb to stop it anyway.
      • by raymorris ( 2726007 ) on Tuesday November 05, 2019 @12:55PM (#59383894) Journal

        > Let's face it if you're dumb enough to be infected with ransomware, you're too dumb to stop it anyway.

        True 99.9% of the time. Also, if you're breathing, there is a 99.9% certainty that you aren't a ransomware expert.

        If you have perfect backups, such that the ransomware wasn't able to encrypt your backups, you're in good shape. Pull, the plug, wipe the machine. Check which ia the latest un-infected backup and off you go.

        If you DON'T have suitable backups, it's a very delicate situation. If the ransomware is actively running, two facts are true:
        The situation is getting worse
        The key needed to decrypt your files is in your computer's RAM!

        Ransomware can use asymmetric cryptography to encrypt the key on disk, but the actual files are encrypted using symmetric cryptography. That means the key being used to encrypt them is the same key you need to decrypt them. You are everything needed to decrypt your files, other than the expertise.

        If you pull the network cable and then hibernate the machine (suspend to disk), that will save the all-important key, while stopping the encryption process. I can then mount the drive in my forensic machine, grab the key from the RAM image, and decrypt your files.

        In the worst case, if for some reason I can't get the key, you've saves any files that weren't encrypted yet and preserved all of the information about which processes were running, etc so that an expert can work with it.

        So bottom line:
        Remove the network cable
        Hibernate (suspend to disk)
        Call an expert

        Suppose the files aren't that valuable and you're broke, so you decide not to call an expert. There are free and easy to use tools available for some types of ransomware. Make a disk image of the infected disk. Then try the tool on the extra image you made. Do not try the tool against the original disk, because you could easily lose all of your data. All data recovery work is always done against a disk image, an extra copy of the drive.

        • by Dunbal ( 464142 ) *

          So bottom line: Remove the network cable Hibernate (suspend to disk) Call an expert

          I prefer the following solution: Back up the very few things I think are critical, and be prepared to write off the rest. Oh I know this wouldn't work for an enterprise-sized outfit - but then again they're supposed to have an entire department for dealing with shit like this. For me it's wipe/reformat and re-install. My wedding pictures are on a couple different flash drives. Some other important stuff somewhere else, burned onto DVDs, etc. This is enough of an adequate solution for 99.9% of the population

        • by Anonymous Coward

          A year or so ago, my Mac laptop got infected watching a pirated video stream earlier in the day (yes - VERY dumb). The infection started working hours later when I rebooted, which was going at a glacial crawl (30-40+ minutes just to get to a login screen) and the laptop was getting physically hot. By the time macOS finally came up it was practically unusable. I knew I was probably screwed, and a repeated ps command in a macOS terminal verified my fear: I could see random processes copying various files (jpg

        • "The situation is getting worse
          The key needed to decrypt your files is in your computer's RAM!"

          1. Suspend to disk!
          2. Remove drive, mount read-only in clean machine.
          3. Recover what you can.
          4. Restore what you can from backups.
          5. Assess if the remainder is sufficiently valuable to justify hiring a specialist you can recover that key from the suspend-to-RAM file and decrypt the files. As a very high-skill process, this is sure to be expensive.

          • > As a very high-skill process, this is sure to be expensive.

            $200-ish. It'll take me an hour or two of actual work (aside from just letting the files copy overnight). Plus getting the drive to me safely - shipping or bring it by.

            However, if your company calls HP for help, HP will call the company they have subcontracted. That company will call me. You might pay $1,000 for the service because the middle men make money, maybe more if HP sent sales reps to spend a day with your CIO first - flying sales

        • >True 99.9% of the time. Also, if you're breathing, there is a 99.9% certainty that you aren't a ransomware expert.

          It though the ransomware victims were, 99.9% of the time, dentists.

        • Whoa. I didn't realize there was still intelligent life on /.
                Would seriously like to have your email address or a link to a service you trust for such recovery. While I certainly don't anticipate it, this is the kind of thing it would be good to have a contact lined up for as an immediate step 4 (step 3 after hibernating disk would be changing my pants).

          • Thanks. I've been studying and professionally practicing information security for a little over 20 years now, so it's kinda my thing. I really enjoy "teaching" it, or informing people.

            I don't think I'm going to post my email address here, but you might be able to find it. If you don't find it, you can post your public gpg key and I'll reply with my encrypted email address.

    • Comment removed based on user account deletion
    • Never reboot. Uptime is life.

  • Just disconnect it from the network. If the malware is effecting a shared drive, then you've stopped the functionality of the malware. If the PC itself has been affected, then rebooting won't add to the damage. Your IT people should have a nice backup of your data ...somewhere. If not, they can at least assist with paying the ransom to get your data decrypted.

    If your IT people are able to decrypt your data without having to pay a ransom, then you just found your problem.

    • What? The users as almost always.
    • If your IT people are able to decrypt your data without having to pay a ransom, then you just found your problem.

      Well that’s highly wishful thinking. While not ransomware are equal, it doesn’t take a great deal of skill to encrypt data with strong encryption.

    • by Dunbal ( 464142 ) *
      You think the kind of IT people who would allow ransomware into a network are the kind of IT people who make regular backups?
      • Re:Bad advice (Score:4, Insightful)

        by BringsApples ( 3418089 ) on Tuesday November 05, 2019 @12:42PM (#59383868)

        I know, from experience, that backups/fail-overs are the most important aspects of IT today. If you're not doing that, or making sure that it gets done, DAILY, then you hardly count as an IT person.

        You'll spend 100x as long fighting malware/viri than you will restoring a backup.

  • by DarkRookie2 ( 5551422 ) on Tuesday November 05, 2019 @12:03PM (#59383712)
    Anything I want to keep is backed up already.
    Honestly need to do this anyways.
    • Then call Liam Neeson to hunt them down with his particular set of skills and shoot them in the junk.

  • Never use your bare metal OS for web browsing. Either use a VM or do all your browsing on a tablet instead.
    • That's a bit much.
    • Dude, like, your OS sucks.

    • Win10 Pro has Windows Sandbox -- a lightweight VM disconnected from the regular file system, except for two folders I mapped as shared, one read only and one writable for the Sandbox. I do all my browsing there, except for a couple "trusted" sites that I do on my regular system, with NoScript on.

      Killing and restarting the entire Sandbox is fast. My startup script for the Sandbox installs Chrome from the read-only folder, after which I install AdBlock Plus online and it's ready to go. My passwords etc. to si

  • what about this (Score:4, Informative)

    by FudRucker ( 866063 ) on Tuesday November 05, 2019 @12:11PM (#59383754)
    power it off, remove drive, mount it with a non ms-windows PC like Linux so the malware wont be in its running environment
    • Would be more practical to shut down immediately and then on reboot do it using a Linux boot disk like the ones you use to install Mint or Ubuntu. A Windows-PE disk may be useful too.
    • power it off, remove drive, mount it with a non ms-windows PC like Linux so the malware wont be in its running environment

      Even if you power it off, remove drive, and mount it with a Windows PC, the malware won't be running. There's no need to drag Linux into it.

      Additionally, you'll probably need to add file permissions to access some files under the \User hierarchy. It make may be advisable to make such changes using a native NTFS client.

    • Shutting down, or yanking the power cord, aren't the worst things you can do. They also aren't the very best.

      Using hibernate (suspend to disk) will preserve important things like the encryption key, which can be used to decrypt the files that have already been decrypted.

    • Ideally, you'd shut it down so it doesn't infect other systems. Then wipe it and restore from backups. Ransomware is a problem which was solved back in the 1960s, decades before ransomware was even invented. It is a problem only because people don't make backups.

      A friend is the accountant for her family business. Her computer got hit with ransomware. (She gets daily reports from their salesmen in the form of a spreadsheet emailed to her, and this particular ransomware disguised itself as an email fr
    • power it off, remove drive, mount it with a non ms-windows PC like Linux so the malware wont be in its running environment

      What person who is likely to get hit by randsomeware would have the capability to do this?

  • by Thelasko ( 1196535 ) on Tuesday November 05, 2019 @12:12PM (#59383756) Journal
    We all know the first thing they will tell people to do.

    ...or just say "Shibboleet" [xkcd.com]
  • Don't download porn and drop your personal Ransomware risk to nearly zero.

    • You're right Dallas!

      Debbie did that!

    • by nuckfuts ( 690967 ) on Tuesday November 05, 2019 @01:05PM (#59383924)
      I've dealt with 4 incidences of ransomware infection for clients. None had anything to do with downloading porn. Two were due to unpatched (exposed) vulnerabilities. Two were the result of compromised passwords, which made me something of an evangelist for two-factor authentication.
    • by Anonymous Coward
      I thought the ransomware extortionists used ads to deliver their malware?
    • Wishful thinking. Ransomware has many attack vectors and is profit-driven to be creative in finding new ones.

      The best security comes in layers and good working backups.

  • "Experts" recommend that victims power down the computer, disconnect it from their network, and reach out to a professional IT support firm. That firm will change you the same price as the original ransomware to decrypt your files. In reality they will negotiate with the attacker for a lower payment, pay the ransom to decrypt the files and kept the difference.
  • LIES!!! (Score:3, Funny)

    by v1s10nary ( 5867496 ) on Tuesday November 05, 2019 @01:14PM (#59383954)

    C'mon Slashdot.... everyone in IT knows that a reboot fixes 99.99% of all computer issues.

    • Problem: 0.01% of files on the system weren't encrypted. Solution: Turn it off and on again.

      It is all a matter of perspective.

  • I remember when the OS started stopping you from deleting open files or executables running, thus greatly making it harder to manually clobber running malware.

    One trick was to clobber it then replace the file with a read-only folder with the same name. Malware was usually too stupid to figure that out and create the file.

  • The most prevalent desktop environment has been beating people over the head for decades that the thing to do when you install something **correctly** is to restart the machine. How the hell are most people to know what is a typical OS issue that requires a restart (for winblows, that is) versus ransomware that your should only power down? Good luck to most people!
  • Better burn it immediately. Never buy another one.

  • If I'm stupid or hapless enough to get ransomware, first thing I'm doing is reaching for the power switch, so nobody else gets infected. Second thing will be booting from recovery media I made so I can erase the boot SSD completely (ensuring that there is nothing remaining), and reloading from a backup.

    I have to ask this... why are backups so hard? $10/month/PC gets you continuous protection with CrashPlan. Backblaze is $6/month. If you add to that a NAS, you now have local and remote recovery of ransom

Every cloud has a silver lining; you should have sold it, and bought titanium.

Working...