First steps to mitigate the problem:
After confirming that it is not an account hijacking and there are clear indicators of compromise there are two avenues of approach: getting your devices clean or understanding the attack and then cleaning your devices. Your first priority may be to get your computer ‘clean’ and usable again. Finding out what has happened to you and who has targeted you may be less important to you. However, it can be very valuable to gain understanding of your adversary, their technical capabilities and whether or not the potential attacker (a government entity or other third party) is known to use internet surveillance technology. If understanding the attacker and the attack is relevant to you, it is essential that collecting and analyzing information on a potential malware infection happens before you engage in ‘cleaning’ your computer. For information collection and analyzing of malware continue to the section recommended steps for first level analyst otherwise, proceed to the section below.
‘Cleaning’ your device
When you have chosen to clean your device without understanding the malware and attack first please keep the following in mind:
- There is no quick fix to clean up malware from you computer. Even after completing the following steps a very sophisticated malware infection may still be present. These steps are sufficient to remove most of the malware you are likely to encounter unless you are being targeted by a very advanced attacker.
- If you believe that you are being targeted by a state actor and indicators of compromise persist after cleaning up the virus detected through the steps below, disconnect it from the internet, turn off the device, unplug it, if possible remove its battery and seek the help of a security professional.
Anti-virus software can be an effective first response to protecting a device from a significant percentage of malware. However, anti-virus software is generally considered ineffective against targeted attacks, especially by state-sponsored actors. Nevertheless, it remains a valuable defensive tool against non-targeted, but still dangerous, malware. Below is a non-exhaustive list of options:
- Microsoft Safety Scanner (Windows)
- ClamXav (Mac OS X)
- ClamAV (Windows and Linux)
When you run anti-virus software, ensure that it is up to date. If a virus is detected the following steps are recommended.
- Step 1: Ensure that your anti-virus software is up to date
- Step 2: Take a screenshot of the message
- Step 3: Continue with the recommended steps to remove the virus
- Step 4: Following the guidelines in the Safer Communication section above, send the screenshot to a person with security expertise