Remote Access Attack: What to Do

TL;DR

An hour of attacker access is serious, but a full reset of all 9 devices isn’t necessarily the first step. Focus on identifying *how* they got in and securing that point. Then, scan your main computer thoroughly. Other devices are lower priority unless you know they were directly targeted.

1. Isolate the Affected Computer

Immediately disconnect the computer attackers accessed from the internet. Unplug the network cable or disable Wi-Fi. This stops them sending data out and prevents further control.

2. Identify How They Got In (Crucial Step)

This is the most important part! Think carefully about what you were doing before the attack:

• Phishing Email? Did you click a link or open an attachment in a suspicious email?
• Suspicious Download? Did you download and install any software from untrusted sources?
• Remote Desktop? Do you use Remote Desktop Protocol (RDP) to access your computer remotely? If so, was it exposed to the internet?
• Weak Password? Have you used a simple or reused password on this computer?
• Unpatched Software? Is your operating system and software up-to-date?

Check your browser history for unusual websites. Look at recently installed programs.

3. Scan Your Main Computer

Run a full scan with reputable anti-malware software. Here are some options:

• Windows Defender: Built-in and often sufficient for basic threats. Run a full scan.
• Malwarebytes: A popular choice for detecting and removing malware. Download from https://www.malwarebytes.com and run a scan.
• Sophos Home: Another good option with real-time protection.

Update the anti-malware software *before* running the scan to ensure it has the latest definitions.

# Example using Windows Defender (PowerShell)

Start-MpScan -ScanType FullScan

4. Change Passwords

Change passwords for *all* important accounts, especially:

• Email
• Banking/Financial Accounts
• Social Media
• Any account used on the compromised computer

Use strong, unique passwords (at least 12 characters with a mix of letters, numbers and symbols). Consider using a password manager.

5. Check for Backdoors

Attackers sometimes install backdoors to regain access later. This is harder to detect:

• Task Scheduler: Look in Task Scheduler (search for it in Windows) for any suspicious tasks that run automatically.
• Startup Programs: Check which programs start when your computer boots up (Task Manager -> Startup tab). Disable anything you don’t recognize.
• Network Connections: Use a network monitoring tool to see if there are any unusual connections being made from your computer. netstat -ab in the command prompt can show active connections, but interpreting it requires some technical knowledge.

6. Assess Other Devices

Unless you have evidence that other devices were directly targeted (e.g., they also showed signs of compromise or used the same weak password), a full reset is probably not needed *yet*.

• Wi-Fi Password: Change your Wi-Fi password immediately.
• Shared Accounts: If you use the same username and password on multiple devices, change them all.
• Scan High-Value Devices: Scan any devices that store sensitive information (e.g., smartphones, tablets) with anti-malware software.

7. Consider a Reset (If Necessary)

If you can’t confidently identify the entry point or suspect widespread compromise, resetting your main computer to factory settings is the safest option. Back up important data *before* resetting, but be aware that backups could also contain malware.

8. Report the Incident

Report the attack to your local cyber security authority or police. This helps them track and prevent future attacks.