Security experts don't recommend that users reboot their computers after suffering a ransomware infection, as this could help the malware in certain circumstances.
Instead, experts recommend that victims hibernate the computer, disconnect it from their network, and reach out to a professional IT support firm. Powering down the computer is also an alternative, but hibernating it is better because it saves a copy of the memory, where some shoddy ransomware strains may sometimes leaves copies of their encryption keys [1, 2].
Experts are recommending against PC reboots because a recent survey of 1,180 US adults who fell victim to ransomware in the past years has shown that almost 30% of victims chose to reboot their computers as a way to deal with the infection.
But while rebooting in safe mode is a good way of removing older screenlocker types of ransomware, it is not recommended when dealing with modern ransomware versions that encrypt files.
"Generally, the [ransomware] executable that actually encrypts your data is designed to crawl through attached, mapped and mounted drives to a given machine. Sometimes it trips, or is blocked by a permission issue and will stop encrypting," Bill Siegel, CEO & Co-Founder of Coveware, a company that provides ransomware data recovery services told ZDNet in an email this week.
"If you reboot the machine, it will start back up and try to finish the job," Siegel said.
"A partially encrypted machine is only partially encrypted due to some fortunate error or issue, so victims should take advantage and NOT let the malware finish its job...don't reboot!"
Siegel told ZDNet the advice applies to both enterprise and home users alike.
Further, ransomware victims should also take note that there are two stages of a ransomware recovery process they have to go through.
The first is finding the ransomware's artifacts -- such as processes and boot persistence mechanisms -- and removing them from an infected host.
Second is restoring the data if a backup mechanism is available.
Siegel warns that when companies miss or skip on the first step, rebooting the computer often restarts the ransomware's process and ends up encrypting the recently-restored files, meaning victims will have to restart the data recovery process from scratch.
In the case of enterprises, this increases downtime and costs the company operating profits.