School navigation

Information Technology

Malware - Ransomware

Ransomware is a serious threat to the integrity of our organization’s data and targeted attacks have increased 300% since 2015. (source: FBI)

Ransomware is a PC or Mac-based malicious piece of software cyber actors use to deny access to systems or data until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. 

Ransomware infects PC or Mac systems through phishing emails, unpatched programs, compromised websites, online advertising and free software downloads.

Ransomware uses RSA 2048 encryption, which would take an average desktop computer 5.4 quadrillion years to crack. (source: Ransomware Hostage Rescue Manual, Adam Alessandrini.)

Ransomware demands payment in the form of bitcoins (BTC), which are an anonymous form of payment exchange and are untraceable.  Bitcoins are used for legitimate purposes, however they have also made an increase in ransomware payment possible.  There is no guarantee that you will be able to decrypt your files after you pay and there have been cases where payment was given and no key to decrypt the data was received.

Symptoms

  • You cannot open your files and the files have an abnormal extension (ie: locky).
  • You receive an alarming message with instruction on how to pay to unlock your files.
  • The ransomware program threatens you with a countdown until the ransom increases or you will not be able to decrypt your files.
  • The ransomware program window cannot be closed.
  • You have files named ‘HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML’.

Response

  1. Disconnect everything (turn off wifi, bluetooth, unplug from the network)
  2. Determine scope of infection (check USB storage devices, mapped network drives, cloud based storage)
  3. Determine ransomware strain 
  4. Remove ransomware from your infected system
  5. Restore from a recent backup 
  6. Try to decrypt your files using a 3rd party decryptor (very unlikely you will succeed)
  7. Do nothing (lose access to your data)
  8. Pay the ransom (no guarantee you will be able to decrypt your data)
  9. Protect your self in the future

How to protect yourself

  • Use anti-virus/malware software
  • Keep all your software patched, including third party plug-ins used for websites
  • Enable your system’s firewall
  • Do not download free or un-signed (untrusted) software
  • Do not open attachments or visit links in emails unless you explicitly requested them; visit the website yourself
  • Do not respond to phishing emails, which pretend to be legitimate sources and will either send you to another website to gather your information or infect your system
  • Backup your data often so you can recover your files

Other Information on Ransomware:

  • US-CERT Alert: Ransomware and Recent Variants (https://www.us-cert.gov/ncas/alerts/TA16-091A)
  • CSO Online: How to Prepare for and Prevent Ransomware Attacks (http://www.csoonline.com/article/3088066/backup-recovery/how-to-prepare-for-and-prevent-ransomware-attacks.html)
  • Ransomware Hostage Rescue Manual (http://resources.idgenterprise.com/original/AST-0148364_Ransomware-Hostage-Rescue-Manual.pdf)
  • CSO Online: Tricks that Ransomware Uses to Fool You
  • University pays $16,000 to recover crucial data held hostage (http://arstechnica.com/security/2016/06/university-pays-almost-16000-to-recover-crucial-data-held-hostage/)

L&C Information Security Awareness:

https://www.lclark.edu/information_technology/security/awareness/