skip to content
  • Calendar
  • Maps

Ransomware

Ransomware is a type of malware (malicious code) that infects systems and even entire networks. The malicious code can lock and/or encrypt all files located on the system(s) or connected network shares. The users are often extorted for money via an on-screen alert. The notification typically states that the user's system has been locked or the files encrypted and that they must pay a specific dollar amount for access to be restored. The ransom frequently ranges from $200-$400, via a virtual currency known as Bitcoin. The victim's desktop is changed and a dialog pops up presenting the ransom message. In many cases, the ransom demand comes with a deadline—if the victim doesn’t pay in time, the data is gone forever. The FBI officially discourages paying. It points out that even if you pay, you may not get your data back. However, organizations should contact federal and local law enforcement to notify them so that forensic information can be shared with multiple agencies. Contact your CTC or the IT Service Desk at ext.7777 immediately so that proper procedures can begin.

Widely known names of ransomware:

LOCKY, KOVTER, XORIST, CRYPTORBIT, CERBER, CRYPTOLOCKER, SAMSAM(a.k.a. MSIL/Samas.A), MARSJOKE, and HADES LOCKER are just a few variants that are on the rise.

How is ransomware installed?

The malware extensively utilizes spam campaigns to distribute malicious files that download and execute code. It propagates through spam e-mails that include malicious MS Office documents, JavaScript, or compressed attachments. These attachments contain macros or scripts that download the files and once executed causes the PC to be infected.

Earlier versions of ransomware, such as CryptoLocker, were dependant on a user opening malicious attachments from phishing emails and would sniff out and encrypt specific file types on the user's system. Current versions can infect systems via drive-by downloading, through social media (such as Web-based instant messaging applications), or from exploits being uploaded via vulnerable Web servers.

While earlier versions of ransomware focused mostly on personal computers, ransomware has increasingly targeted business users, as businesses will often pay to unlock critical systems so they can resume daily operations. Enterprise ransomware infections usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL of a website that is malicious or has been compromised.

Impact

Ransomware can find and encrypt files located on local and attached drives, such as USB drives, shared network drives, external hard drives, network file shares, and even some cloud storage drives. Not only can this affect the files of the user, but it could affect the files of an entire department if the files on a shared network resource are encrypted.

Prevention

We recommend users and administrators take the following preventative measures to protect their computer networks from an infection:

  • Ensure you have an AIR GAP backup. An air-gapped computer is one that is neither connected to the internet nor connected to other systems that are connected to the internet. For home users, this could be a USB backup device which you would use to connect only to backup your data, but then removed from your computer until needed.
  • Conduct routine backups of important files, keeping the backups stored offline. In particular, regularly backup and test the backups of critical data.
  • Maintain up-to-date anti-virus software and scan all software downloaded from the internet prior to executing.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in emails. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For more information on safely handling email attachments read Recognizing and Avoiding Email Scams (pdf), and refer to the Security Tip Using Caution with Email Attachments. Do not download or open any attachment that is suspicious or you are not sure of. If you are not sure, contact your CTC or the IT Service Desk at ext.7777. If possible be prepared to provide details of the e-mail that was viewed as suspicious.
  • Follow safe practices when browsing the web and for further reading on Safe Browsing habits, see Good Security Habits and Safeguarding Your Data.
  • Defend your email, your mobile devices, and even your web surfing by following best practices.

What to do if you are infected at Work:

  • DO NOT turn off your computer
    • Disconnect the Network cable from the back of your device
    • Disable or turn off the wireless signal if on a laptop
    • Do not change anything as we will need to try to gather and preserve evidence from the device  
  • Contact your CTC or the IT Service Desk at ext.7777

Protecting Yourself at Home

Preventing

  • Back up all your data at home and test restoring data to ensure it works
  • Update and patch your software and operating systems
  • Train and educate all those that use your computer on what to do and what not to do when viewing emails and web surfing
  • Stay current with information on all Malware so that you stay educated. Sites like Symantec, Malwarebytes, Kaspersky, CNET, Wired, Google, and others.

Recovering

  • Disconnect from the network
  • Determine what you have lost and can you recover from your backups
  • Don't pay the fee if you can recover your data from backups. There is absolutely no guarantee that you will get your data back even if you pay.
  • Don’t count on free ransomware decryption tools to save you.
  • You may need to wipe your computer and start from scratch
  • Restore from backup