Image: jules_88 on Pixabay <\/p>\n
Security experts don't recommend that users reboot their computers after suffering a ransomware infection, as this could help the malware in certain circumstances.<\/p>\n
Instead, experts recommend that victims hibernate the computer, disconnect it from their network, and reach out to a professional IT support firm. Powering down the computer is also an alternative, but hibernating it is better because it saves a copy of the memory, where some shoddy ransomware strains may sometimes leaves copies of their encryption keys [1, 2].<\/p>\n
Experts are recommending against PC reboots because a recent survey of 1,180 US adults who fell victim to ransomware in the past years has shown that almost 30% of victims chose to reboot their computers as a way to deal with the infection.<\/p>\n
But while rebooting in safe mode is a good way of removing older screenlocker types of ransomware, it is not recommended when dealing with modern ransomware versions that encrypt files.<\/p>\n
\"Generally, the [ransomware] executable that actually encrypts your data is designed to crawl through attached, mapped and mounted drives to a given machine. Sometimes it trips, or is blocked by a permission issue and will stop encrypting,\" Bill Siegel, CEO & Co-Founder of Coveware, a company that provides ransomware data recovery services told ZDNet in an email this week.<\/p>\n
\"If you reboot the machine, it will start back up and try to finish the job,\" Siegel said.<\/p>\n
\"A partially encrypted machine is only partially encrypted due to some fortunate error or issue, so victims should take advantage and NOT let the malware finish its job...don't reboot!\"<\/p>\n
Siegel told ZDNet the advice applies to both enterprise and home users alike.<\/p>\n
Further, ransomware victims should also take note that there are two stages of a ransomware recovery process they have to go through.<\/p>\n
The first is finding the ransomware's artifacts -- such as processes and boot persistence mechanisms -- and removing them from an infected host.<\/p>\n
Second is restoring the data if a backup mechanism is available.<\/p>\n
Siegel warns that when companies miss or skip on the first step, rebooting the computer often restarts the ransomware's process and ends up encrypting the recently-restored files, meaning victims will have to restart the data recovery process from scratch.<\/p>\n
In the case of enterprises, this increases downtime and costs the company operating profits.<\/p>\n
To learn more about dealing with ransomware attacks, you can check out the Emsisoft guide on how to remove ransomware and Coveware's first response guide on dealing with a ransomware attack.<\/p>\n
Article updated shortly after publication to recommend hibernating computer instead of powering down.<\/p>\n
<\/p>\n