insider threats

First Signs of a Ransomware Attack: What to Look Out For and What to Do


Cyberattacks, specifically ransomware attacks, are no longer the stuff of sci-fi dramas. Instead, as more work and business-critical data that goes along with it has shifted into the cloud, ransomware attacks have become a harsh reality even a small business has to acknowledge and deal with. 


As a Manager Service Provider, we have a solid toolkit around our belts—from managed EDR to centralized patching and much more—to protect your business from suffering from a ransomware attack. But how do you know you became a victim of such an attack in the first place? If you have an EDR solution at your gates, you will get notified of any attempt of a cyberattack and, in most cases, can sleep soundly knowing that those attacks are being successfully deflected without you moving a finger. 


But what if you don’t have a sophisticated anti-virus solution to protect you? In this case, your chances of successful data security and recovery are directly proportionate to how quickly you notice an intrusion into your system. Here are 5 telltale signs your system is being compromised. 


1. Computer Freezes or Slows to a Crawl

A sudden drop in your computer performance can be the first sign of a wide range of malware infections and should ring an instant alarm. Of course, another reason for a digital standstill may be a memory-hungry app (for instance, Google Chrome) running in the background, especially if you haven’t shut down your machine in a few weeks. 

To stay on the safe side, do the following: 

  • First, immediately disconnect your machine from WiFi, Ethernet, Bluetooth, and any other networks. 
  • Second, eject any external devices such as USB drives and memory sticks. 
  • Third, run an antivirus scan on your machine. 
  • Fourth, report the incident to your IT support. 


2. Programs Open or Close on Their Own

If it feels like someone else may be working on your computer alongside you, someone—or most likely something—probably is. Ransomware may be opening files and applications to rename them (see below) while other types of malware may automatically trigger programs to spread the infection. Finally, if the malware has already been installed, a human may have remote control of your computer. If you notice applications or files opening or closing spontaneously, follow the steps above to fight the infestation.  



3. Threatening Pop-up Messages 

A large component of any ransomware attack is fear—attackers try to create pressure and a sense of urgency while demanding your money. When opening a website in your browser or starting an application, you may see a pop-up message such as “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine” or “Your computer has been infected with a virus. Click here to resolve the issue.” Some of them may mention ransom explicitly, while others imply it; in the majority of cases, these pop-ups will be impossible or very difficult to close. 

Yet again, you should start with disconnecting your devices from any networks and ejecting all external devices. 


4. Locked Desktop or Browser

If your desktop or browser is locked and no pop-up is in sight, look for a “ransom note” file, usually with a .txt extension. That file will contain instructions the hackers urge you to follow up unlock your machine. Avoid following the directions immediately. As always, disconnect from all networks and eject all devices, then confirm the status of your backups before deciding on the best next steps.  


5. Scrambled File Extensions

The last telltale sign you have become a victim of ransomware are scrambled file extensions. If all your files and applications have seemingly random characters after their file names, it happened. The examples of ransomware file extensions are .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7-character extensions consisting of random characters. 


Follow the outlined steps of taking your machine offline and “quarantining” it from both potentially infected and not yet infected devices before considering your next steps. Prevention and proactive threat monitoring, of course, are the best medicine, so schedule a free 30-minute consultation with 3nom cybersecurity experts today to bring your network up to speed on ransomware protection.   


Improve Your Productivity

Subscribe to learn more