What to Do If You Got Hacked
Recently someone in my life got tricked into installing some malware onto their computer. Lets call them “Jamie”. Jamie reached out to me for help as I’m one of the more technical people in their life, and while I did end up helping them, the whole ordeal got me thinking about what people should and shouldn’t do if they think they’ve been hacked. Now, I must make this very clear: I am not an expert on this subject. Please do not take my word on this topic as the objective source of truth. This is just some advice from someone who has a lot of experience with computers.
Alright, disclaimer out of the way, or almost. This “guide” is specifically referring to running some malware on a Windows desktop or laptop. And its not touching on malware that is more potent, like ransomware. This is generally more so for things like cookie stealers or remote access tools. From what I can tell, these are generally more common across the internet, so reading this might help you know what to do if you fall for one.
If you suspect your computer has been hacked in some way, here are the first three things you should probably do:
1) Disconnect from the Internet
Unplug the ethernet cable or turn off the wifi. Just do something to remove that internet connection. Doing so prevents any further access to your machine from remote attackers. We want to minimize the damage done, and this stops a lot of that.
2) Calm Down
I know, getting hacked can be stressful. You may have thought you could never fall for something like this, and yet here you are. Its okay, don’t panic. These types of things are designed to be tricky. Remember Jamie getting hacked? Turns out Jamie’s friend got hacked, and the hacker used that account to abuse the trust the two had and get Jamie to run malware. These attacks often use methods like that to trick you, and its unreasonable to expect you to be paranoid about everything your friends send you. Just take a deep breath, acting hasty won’t help anything.
3) Change your Passwords
Alright, I mentioned it a bit earlier, but a lot of malware these days just ends up stealing your cookies. Not the ones you eat, but the ones that your browser keeps. These browser cookies just hold little bits of information that get sent to certain websites when you visit them. They’re used for things like storing authentication sessions. This means if someone has your cookies, they can trick websites into thinking they’re logged into your account, even when the hacker doesn’t know your username or password. That is why its key to change all your passwords as soon as possible. Don’t do it on the infected device, as hackers could still have access. Do it on a separate machine and prioritize the most important ones first. A good order to consider is: your online banking accounts, your personal email, anything for school or work, anything used for shopping, and then everything else. Remember, the hackers have access to nearly everything you were logged into on your browser, so change everything. Maybe its a good time to start using a password manager if you weren’t already.
Next Steps
Alright, now that most of the immediate threats have been negated, its a good time to check if they actually did anything with the access to your machine or accounts. I’d check your accounts first, see if anything was purchased or any messages were sent. Get these sorted out, and maybe also inform your friends that you were hacked just in case any messages were sent to them.
Now that (hopefully) all the damage has been stopped and minimized, the next step is to remove that malware from the computer. The issue with these things is they aren’t always detected by your anti-virus. I mean, if you got hacked, clearly that thing wasn’t able to detect it. And it happens, malware is an arms race. The hackers are constantly changing up strategies, and the anti-virus can’t just magically know without having a few reports first. So, if you can, report whatever suspicious thing that lead you to running malware to the anti-virus you use. This will help people in the future from getting hacked.
Next thing is removing whatever is on your system. Sometimes it can be a one and done, but often times its not. For the case with Jamie, there was something put on their system that was sending the hackers screenshots of their desktop. This is why its important to disconnect from the internet, that way they don’t have access to things like that any more. But its also important to note that the anti-virus didn’t detect this part of the malware (or any of it for that matter). We checked task manager and looked for anything suspicious in there and stopped those processes. We also checked the start up applications and disabled anything that wasn’t supposed to be there. We also checked some common places malware likes to hide (think the start up folder at C:\Users\(USERNAME)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp or the temp folder at C:\Users\(USERNAME)\AppData\Local\Temp) to find the actual malware program to remove from the system.
However, I still was hesitant to call that good. Windows is a very complex thing, and there are still plenty of ways to hide things in there. Ultimately, the conclusion Jamie and I came to was reinstalling the whole operating system. Its not the ideal option, but it is the safest. The issue then is backing up the data. If you don’t already have backups of everything, you need to be careful in what you’re copying off the infected system. You don’t want to copy anything that could reintroduce the virus. Luckily, malware can only spread by running a program (for the most part). As long as you’re only taking off things like photos and videos, there shouldn’t be any major risks involved.
Hopefully by this point, everything is back in your control and the virus is gone. It may have disrupted your life, but now things should be all good. Its still worth mentioning, the best way to prevent getting hacked is to know whats suspicious and what isn’t. In Jamie’s case, they were told to download a game and install it. The suspicious thing is it came in an archive with a password. Now the hacker explained that as a way to protect it from authorized people playing it, but really its a common trick that hackers use. If it needs a password, your anti-virus can’t scan it. So just remember, keep an eye out for anything unusual. Weird links? Don’t click them. Someone telling you to download and run something? See what VirusTotal says first. Something seems suspicious? Trust your gut.