Recognize the Signs
Ransomware often encrypts silently before the ransom note appears. Watch for these HKCERT-identified indicators:
📂 File Changes
Files renamed to .lockbit, .encrypted, or cannot be opened. Disk space shrinks rapidly.
🐢 Performance
PC runs extremely slow. Fan spins loud (high CPU usage) while encryption happens.
🚫 Access Denied
You are logged out of accounts. Admin passwords stop working. Servers go offline.
💀 The Note
A text file appears on Desktop: "YOUR FILES ARE ENCRYPTED". Wallpaper changes to a demand message.
Immediate Triage
If you see these signs:
- ❌ DO NOT turn off the PC (Memory evidence is needed).
- 🔌 DISCONNECT Wi-Fi and Ethernet cables immediately.
- 💾 UNPLUG all USB drives and External Hard Drives.
Generate Response Plan
Select your profile to see the HKCERT-recommended workflow.
⚠️ The Golden Rule: DO NOT PAY
HKCERT and Police advise against paying ransoms.
- It funds criminal gangs.
- There is < 10% chance you get all data back.
- They often demand a second payment.
HKCERT Recommended Tools
Free and low-cost tools to help you Detect and Recover.
| Category | Tool Name | Best For |
|---|---|---|
| Scanning | ESET Online Scanner / Malwarebytes | Quick detection of malware signatures. |
| Analysis | Task Manager / Process Explorer | Spotting high CPU usage (Encryption process). |
| Decryption | NoMoreRansom.org | Repository of free decryptors (Check before wiping!). |
| SME Monitor | Splunk Free / OpenVAS | Log analysis and vulnerability scanning. |
| Backup | Acronis / Macrium Reflect | Restoring clean offline backups. |
Prevention Checklist (3-2-1 Rule)
- ✅ 3 Copies of data total.
- ✅ 2 Different Media types.
- ✅ 1 Offline Copy (Critical for Ransomware - air gap it!).