Redirected internet searches, unexpected installs, rogue mouse pointers: Here’s what to do when you’ve been 0wned.
In today’s threatscape, antimalware software provides little peace of mind. In fact, antimalware scanners are horrifically inaccurate, especially with exploits less than 24 hours old. Malicious hackers and malware can change their tactics at will. Swap a few bytes around, and a previously recognized malware program becomes unrecognizable. All you have to do is drop off any suspected malware file at Google’s VirusTotal, which has over 60 different antimalware scanners, to see that detection rates aren’t all as advertised.
To combat this, many antimalware programs monitor program behaviors, often called heuristics, to catch previously unrecognized malware. Other programs use virtualized environments, system monitoring, network traffic detection and all of the above to be more accurate. Still they fail us on a regular basis. If they fail, you need to know how to spot malware that got through.
How to know if you’ve been hacked
Here are 15 sure signs you’ve been hacked and what to do in the event of compromise.
- You get a ransomware message
- You get a fake antivirus message
- You have unwanted browser toolbars
- Your internet searches are redirected
- You see frequent, random popups
- Your friends receive social media invitations from you that you didn’t send
- Your online password isn’t working
- You observe unexpected software installs
- Your mouse moves between programs and makes selections
- Antimalware, Task Manager or Registry Editor is disabled
- Your online account is missing money
- You’ve been notified by someone you’ve been hacked
- Confidential data has been leaked
- Your credentials are in a password dump
- You observe strange network traffic patterns
Note that in all cases, the number 1 recommendation is to completely restore your system to a known good state before proceeding. In the early days, this meant formatting the computer and restoring all programs and data. Today, it might simply mean clicking on a Restore button. Either way, a compromised computer can never be fully trusted again. Follow the recommended recovery steps listed in each category below if you don’t want to do a full restore. Again, a full restore is always a better option, risk-wise.
1. You get a ransomware message
One of the worst messages anyone can see on their computer is a sudden screen take-over telling them all their data is encrypted and asking for a payment to unlock it. Ransomware is huge! After a slight decrease in activity in 2017, ransom-asking programs have come roaring back. Billions of dollars in productivity is being lost and billions in ransom are being paid. Small businesses, large businesses, hospitals, police stations and entire cities are being brought to a halt by ransomware. About 50% of the victims pay the ransom, ensuring that it isn’t going away anytime soon.
Unfortunately, according to cybersecurity insurance firms who are often involved in the payouts, paying the ransom does not result in working systems about 40% of the time. Turns out that ransomware programs aren’t bug free and unlocking indiscriminately encrypted linked systems isn’t as easy as putting in a decryption key. Most victims end up with many days of downtime and additional recovery steps even if they do pay the ransom.
What to do: First, if you’ve got a good, recent, tested data backup of the impacted systems, all you have to do is restore the involved systems and fully verify (officially called unit testing) to make sure the recovery was 100%. Sadly, most companies don’t have the great backups that they thought they had. Test your backups! Don’t let ransomware be the first time your company’s critical backups are being tested.
The best protection is to make sure you have good, reliable, tested, offline backups. Ransomware is gaining sophistication. The bad guys using malware are spending time in compromised enterprise environments figuring how to do the most damage, and that includes encrypting or corrupting your recent online backups. You are taking a risk if you don’t have good, tested, backups that are inaccessible to malicious intruders.
If you belong to a file storage cloud service, it probably has backup copies of your data. Don’t be overly confident. Not all cloud storage services have the ability to recover from ransomware attacks, and some services don’t cover all file types. Consider contacting your cloud-based file service and explain your situation. Sometimes tech support can recover your files, and more of them, than you can yourself.
Lastly, several websites may be able to help you recover your files without paying the ransom. Either they’ve figured out the shared secret encryption key or some other way to reverse-engineer the ransomware. You will need to identify the ransomware program and version you are facing. An updated antimalware program might identify the culprit, although often all you have to go on is the ransomware extortion message, but that is often enough. Search on that name and version and see what you find.