ransomware image

Ransomware

What is ransomware?

Ransomware is a type of malware used to infect computers and encrypt computer files until a ransom is paid.  If the ransom demands are not met (i.e., if the victim does not pay the ransom), the encrypted data will remain encrypted and unavailable to the victim.

How does ransomware work?

Once the ransomware has completed file encryption, it displays a file containing instructions on how the victim can pay the ransom.

If the victim pays the ransom, the threat actor may provide a decryption key the victim can use to unlock the files, making them accessible. Even after a ransom has been paid, threat actors may demand additional payments, delete a victim’s data, refuse to decrypt the data, or decline to provide a working decryption key to restore the victim’s access.

How is ransomware delivered?

Ransomware is commonly delivered through phishing emails or via “drive-by downloads.”

  • Phishing emails often appear as though they have been sent from a legitimate organization or someone known to the victim and entice the user to click on a malicious link or open a malicious attachment.
  • A “drive-by download” is a program that is automatically downloaded from the internet without the victim’s consent or without their knowledge. After the malicious code has been run, the computer becomes infected with ransomware.

What can I do to protect my data and networks?

  • Back up your computer.  Perform frequent backups of your computer and important files, and verify your backups regularly.  Carefully plan, implement, and test your backup and restoration strategy.
  • Secure and store your backups separately. Ensure your backup data is offline and secure. The best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive.
  • Use antivirus software at all times.  Set your software to automatically scan for malware.
  • Update and patch your computer. Ensure your applications and operating systems (OSs) have been updated with the latest patches.
  • Use caution with links and when entering website addresses. Be careful when clicking on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses.
  • Open email attachments with caution. Be wary of opening email attachments, even from senders you know, particularly when attachments are compressed or ZIP files.
  • Beware of unknown sources.  Do not open files or click on links from unknown sources
  • Verify email senders. If you are unsure if an email is legitimate, try to verify the email’s legitimacy by contacting the sender directly. Do not click on any links in the email.
  • Use Multi-factor Authentication.  Make sure you are signed up for Duo on-campus.  Enable multi-factor authentication for vendor services you use when it is available.

How do I respond to a ransomware infection?

  • Contact your local IT team, technical UISL, and the campus information security office at cybersecurity@ucdavis.edu
  • Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities.
  • Turn off other computers and devices.

References:

  • Security Tip (ST19-001)-Protecting Against Ransomware, Cybersecurity & Infrastructure Security Agency
  • NIST Ransomware Tips and Tactics Infographic