• Calendar
  • Maps

Ransomware

Ransomware is a type of malware (malicious code) that infects systems and even entire networks. The malicious code can lock and/or encrypt all files located on the system(s) or connected network shares. The users are often extorted for money via an on-screen alert. The notification typically states that the user's system has been locked or the files encrypted and that they must pay a specific dollar amount for access to be restored. The ransom frequently varies in dollar amount, via a virtual currency known as Bitcoin. The victim's desktop is changed and a dialog pops up presenting the ransom message. In many cases, the ransom demand comes with a deadline—if the victim doesn’t pay in time, the data is gone forever. The FBI officially discourages paying. It points out that even if you pay, you may not get your data back. However, organizations should contact federal and local law enforcement to notify them so that forensic information can be shared with multiple agencies.  For more information visit this government site on Security Tip (ST19-001) Protecting Against Ransomware Original release date: April 11, 2019.

Contact your CTC or the IT Service Desk at ext.7777 immediately so that proper procedures can begin.

Widely known names of ransomware:

Attackers are always developing new kinds of ransomware that use various attack vector so variants are on the rise. and now there is even Ransomware-as-a-Service, where hackers sell malware to other criminals, thus increasing the frequency and type of ransomware. 

There are two main types of ransomware: crypto ransomware and locker ransomware. This link provides a list of ten ransomware examples and related information. https://www.kaspersky.com/resource-center/threats/ransomware-examples

How is ransomware installed?

It is normally spread through phishing emails that contain malicious content and attachments or users download files from an infected website unbeknownst to the user and malware is installed without the user's knowledge. The most common attack methods for ransomware attacks are: silent infections from exploit kits, malicious email attachments, and malicious email links.  

The hackers extensively utilizes spam campaigns to distribute malicious files that download and execute code. It propagates through spam e-mails that include malicious MS Office documents, JavaScript, or compressed attachments. These attachments contain macros or scripts that download the files and once executed causes the PC to be infected.

Earlier versions of ransomware, such as CryptoLocker, were dependant on a user opening malicious attachments from phishing emails and would sniff out and encrypt specific file types on the user's system. Current versions can infect systems via drive-by downloading, through social media (such as Web-based instant messaging applications), or from exploits being uploaded via vulnerable Web servers.

While earlier versions of ransomware focused mostly on personal computers, ransomware has increasingly targeted business users, as businesses will often pay to unlock critical systems so they can resume daily operations. Currently ransomware attacks not only encrypt and lock the data but they also exfiltrate data and use extortion threats to expose or release data as an additional leverage to extort payment.  

Impact

Everyone is at risk of a ransomware attack. Ransomware can find and encrypt files located on local and attached drives, such as USB drives, shared network drives, external hard drives, network file shares, and even some cloud storage drives. Not only can this affect the files of the user, but it could affect the files of an entire department if the files on a shared network resource are encrypted. All ransomware groups have the ability to exfiltrate data.

Prevention

We recommend users and administrators take the following preventative measures to protect their computer networks from an infection:

  • Educate yourself on how ransomware is delivered, installed, and prevented. 
  • Don't click links in emails
  • Keep current data backups. Ensure you have an AIR GAP backup. An air-gapped computer is one that is neither connected to the internet nor connected to other systems that are connected to the internet. For home users, this could be a USB backup device which you would use to connect only to backup your data, but then removed from your computer until needed.
  • Conduct routine backups of important files, keeping the backups stored offline. In particular, regularly backup and test the backups of critical data.
  • Maintain up-to-date anti-virus software and scan all software downloaded from the internet prior to executing.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in emails. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For more information on safely handling email attachments read Recognizing and Avoiding Email Scams (pdf), and refer to the Security Tip Using Caution with Email Attachments. Do not download or open any attachment that is suspicious or you are not sure of. If you are not sure, contact your CTC or the IT Service Desk at ext.7777. If possible be prepared to provide details of the e-mail that was viewed as suspicious.
  • Follow safe practices when browsing the web and for further reading on Safe Browsing habits, see Good Security Habits and Safeguarding Your Data.
  • Defend your email, your mobile devices, and even your web surfing by following best practices.
  • Protect your personal information
  • Do not pay a ransom. It only encourages and funds these attackers. Even if the ransom is paid, there is no guarantee that you will be able to regain access to your files.

What to do if you are infected at Work:

There are 5 critical steps to manage and mitgate an active attack:  ISOLATE, IDENTIFY, REPORT, REMOVE, & RECOVER

  • DO NOT turn off your computer but immediately disconnect the network cable from the back of your device or disable/turn off the wireless signal if on a laptop.  You need to try to isolate the infected systems from the rest of the network. 
  • Contact your CTC or the IT Service Desk at ext.7777 - The incident response team in IT will be able to determine the strain and how best to deal with the attack. Your goal is to maintain forensic data on the device. 
    • Do not change anything as we will need to try to gather and preserve evidence from the device  
    • Document everything - Continually take detailed notes of all actions you take regarding the computer including timestamps
    • If comfortable, use a camera (like your phone) to take pictures of the computer screen
    • DO NOT use the computer to take screenshots
  • On a different workstation or on the call with service desk get your password reset. You can use this portal to do that on a different device.  http://password.weber.edu

Protecting Yourself at Home

Preventing

  • Back up all your data at home and test restoring data to ensure it works
  • Update and patch your software and operating systems
  • Train and educate all those that use your computer on what to do and what not to do when viewing emails and web surfing
  • Stay current with information on all Malware so that you stay educated. Sites like Symantec, Malwarebytes, Kaspersky, CNET, Wired, Google, and others.

Recovering

  • Disconnect from the network
  • Determine what you have lost and can you recover from your backups
  • Don't pay the fee if you can recover your data from backups. There is absolutely no guarantee that you will get your data back even if you pay.
  • Don’t count on free ransomware decryption tools to save you.
  • You may need to wipe your computer and start from scratch
  • Restore from backup