Ransomware is the latest trend in cybersecurity attacks and is on the rise in 2017.  Recent global attacks such as Petya and WannaCry, which impacted over 150 countries, target computer systems with outdated and unpatched systems.  

What is Ransomware?

Ransomware is malicious software that encrypts a user or company’s device or files and holds the data/device ransom until a fee is paid to the hacker. Ransomware is launched via phishing emails, unpatched programs, compromised websites, poisoned online advertising and free software downloads.

Most ransoms start around $300-$500 and can get as high as $17,000.  Ransom is paid in the currency, Bitcoin (BTC). Typically, the thieves set deadlines and increase the amount if the deadlines aren’t met.  

After payment, hackers provide “decryptor” software, but there is no guarantee files will be returned in their original state.  

Infection Vectors

Email Vector

The most common form of infection vector involves an email attachment disguised as an innocuous file.  Similar to how a phishing attack works, this occurs when an individual attempts to install or open email attachments without verifying the authenticity and the sender’s intention.  Malicious files are often found in zipped email attachments.

Drive-by-Download

This may occur if you visit a compromised website with an old browser or software plug-in, or an unpatched third party application. 

Free Software Vector

This occurs by offering a free version of a piece of software, such as “cracked” versions of expensive games or software, free games, game “mods,” adult content, screensavers or bogus software advertised as a way to cheat in online games.

Managing Ransomware Infections 

Symptoms of Infection

If you're infected with Ransomware you may experience the following:

  • Inability to open files
  • Error messages saying files are corrupted or have the wrong extension 
  • An alarming message may appear on your  desktop background with instructions on how to pay to unlock your files.  The message warns that there is a countdown to a deadline, when the ransom increases or decrypting will be impossible.
  • A window may open to a ransomware program and may not be closable.  Files in all directories may appear with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.

Steps to Take Upon Infection

Disconnect:

  • Immediately disconnect the infected computer from any network it is on.
  • Turn off wireless capabilities such as Wi-Fi or Bluetooth.
  • Unplug storage devices such as USB or external hard drives.
  • Do not erase anything or “clean up” any files or antivirus.
  • Contact UIS to report
  • Call the Service Desk (202-687-4949) and tell them your computer has been subject to a Ransomware attack.  They will connect you with the University Information Security Office (UISO)
  • Follow the instructions of the UISO staff exactly.

UISO will Evaluate Viable Options:

  • Restore from a recent backup.
  • Decrypt files using a third party decryptor.
  • Do nothing (i.e. lose data).
  • Negotiate/pay the ransom.

Prevention

  • Complete online security awareness training
  • Be cautious – don’t click on links.
  • Implement regular backup of files
  • Maintain up to date operating system and software
  • Ensure all security patches are in place