Who controls the PC? You or the Malware?

The worst feeling when working on a PC is that moment where you lose control. The feeling of dread when opening a file or email and it was not what you expected. Is there malware running in the background? Will I lose all my files in the next hour or was it just a harmless email? It’s often impossible for users to know if something malicious is running in the background or if it really was nothing at all. This fear is instilled in users around the world as email continues to be the favorite vector to infect systems and to many users, it feels like they’re ‘rolling the dice’ whenever they open an email. This fear and vigilance tires and stresses users making it difficult to treat every file as a possible threat. It ruminates until the users feels like it’s not about preventing malware but instead when will it get them instead.

In the past few years, users around the world have watched Ransomware become one of the most popular and devastating types of malware the internet has ever seen. A single file containing the wrong code can execute and lock all the files on a machine until a ransom is paid and a key is provided to decrypt the files (in some ransomwares, there are no keys or known ways to decrypt the data). This type of malware is famous for targeting shared folders allowing it to encrypt files on a separate machine without needing to infect that machine itself. The autonomous nature of the malware is known to be efficient and effective but there are limiting factors that users can take in their own hands. The need for frequent and effective backups is at an unprecedented demand today as more malware is written with the express purpose of damaging data.

Everyone receives spam/junk emails. If you ever receive an email or file that you think is suspicious and believe that you could be infected, you can do the following to take control of your machine:

  1. Disconnect from the network. You control the physical access to your machine. If you have any suspicion that you’re infected, disconnect any physical network connections and disable Wi-Fi on your device (preferably use a physical switch for wireless if available).

2. Do not reboot! Many Ransomwares infect parts of the Operating System to execute on start up. When the machine may have opened a risky file, there is a chance nothing will happen right away but may happen the next day when they reboot their machines.

3. Check Task Manager and view CPU consumption. Access this by right clicking the Taskbar and selecting Task Manager or by hitting CTRL+ALT+DEL. Click on CPU and sort the Processes by the highest consuming Processes. Ransomware is CPU intensive to encrypt files and will usually max out the users CPU slowing down the computer. If an unusual process is consuming all your CPU, this is an indicative sign of malware (Antivirus should be mentioned as a normal Process that routinely hogs the CPU during scans, this can be ignored).

Task Manager with Processes sorted by CPU consumption

Ransomware will likely remain a popular attack method for quite some time as there are little options to stop it once it has started. It is devastating to home users and commercial users if they do not have frequent backups. The simplicity it takes to get infected and the inability to stop it makes users uneasy. Backing up files is the only way to defend yourself from losing data forever and as long as you have the data, any system can be wiped and restored.

Remember that you have control. If you think that there is any possibility your machine is infected, you control it’s access to the internet and network. Disconnect the machine from all networks and get confirmation that it is clean before rejoining. Not knowing if your infected is stressful. Waiting to see if you lose everything is even more stressful, but do not panic! As long as your machine is disconnected from all other machines, it will not be able to harm anything else.

With your disconnected machine, you must clean the machine and the best practice is to wipe the machine (format the HDD/SSD and install a new OS) to make sure there is no trace of the malware. This will destroy all data currently on the workstation so the user has to have their files backed up in order to restore them. If wiping the machine is not an option because of what’s on the machine, the recommendation is to use a personal antivirus solution such as Malwarebytes, Hitmanpro Free, or Avast (download the installer on a separate machine and copy it to a thumb-drive) to quarantine the malware. Once this is done, back up your data and proceed to format the workstation. Once a machine is infected, it is always potentially infected until a complete wipe of the drive.

After a ransomware incident, it is difficult to trust your workstation again. Many feel uneasy after watching their files get encrypted and lost their sense of control over their workstation. But as long as your data is backed up, the malware is demoted from devastating to a nuisance. Being familiar with backing up data and wiping a machine can allow you to beat any malware. You control access, you control your data, and you control your machine.