Don’t stop here! Important next steps:

If you suspect a state sponsored attack or want to know more about the attack and attackers, it is important to gather as much forensic information as you can; please proceed to the section on recommended steps for a first-level analyst. In certain computers you can swap the hard disk, keeping the infected hard disk safe for forensic analysis and enabling computing with a new disk.

  • Back up your files and reinstall your operating system; it is not possible to be sure the virus has been completely removed. After installing one malware, the attacker usually installs others; therefore, it is always recommended to reinstall the operating system after performing a thorough wipe of the hard drive. If possible, investigate whether replacing your hard drive is an option.
  • After reinstallation of the operating system you will want to have access to your files again. Be aware that malware could have infected your documents. After reinstalling your operating system, you should take the following steps:
    • If possible, retrieve your documents from the back up you made prior to the malware infection.
    • If you do not know when your device became compromised with malware, or if you suspect specific attachment and documents to be infected with the malware, there are several things you can do:
      • Download all of your executable files again from a trusted source
      • If the attack vector has been identified by an technical expert and the malware is clearly infecting other documents, one option could be to upload and open them in Google Docs and re-download them from there. In most cases opening a suspicious document in Google Docs is probably a good recommendation. The document will not infect your computer and it will remain editable.
      • Another option is to copy the documents onto a USB key and open them on CIRCLean. The malware will not be copied, but the documents will be transformed to an image or pdf, a read only and non-editable format.