Ransomware

Ransomware

There have been a significant number of incidents where an individual has had his or her entire computer hard drive and, in some cases, network shares mapped to his or her computer, encrypted by malicious software known as “ransomware”.  This form of malicious software or “malware” is so named because the distributors of this software demand the payment of a ransom of hundreds or even thousands of dollars via a variety of Internet financial exchange mechanisms, such as Bitcoin. 

They perpetrators indicate that, once they receive the ransom, they will provide you with the key that will decrypt your files.  To those who religiously back up their hard drives and network shares, ransomware is more of an annoyance since they can always restore their backed-up data, but to those who do not, the temptation to meet the attacker’s demands becomes far greater.

What Should You Do If Ransomware Infects Your System?

The first thing to do is to contact your computer support representative for assistance.  Members of the UHCL community should contact the UHCL Support Center at extension 2828 or supportcenter@uhcl.edu.

DO NOT contact the perpetrators!  Anyone communicating with the perpetrators are dealing with criminals.  Even if you pay the ransom, there is no guarantee that they will send you the key, that the key will work, or that the process of applying the key will not install additional malware that will do additional damage at a later time.

If the infected device is a UHCL computer, you must NOT under any circumstances interact with the perpetrators using that or any other University-owned device.  Such action could put the University’s information and systems at significant risk, and could result in severe financial and reputational loss for the University.

How Ransomware Infections Occur

As any other piece of computer malware, ransomware uses the same methods of propagation that have been used for years, so having up-to-date anti-malware software on your system is an important component of your ransomware defense.  But that is not the only component.  Since all anti-malware products are, unfortunately, imperfect, it must be supplemented with safe computing actions on our part.

Each anti-malware product is written to counter malicious software that it “knows.”  How does it “know” something is malware?  Each anti-malware tool maintains a file of identifying program code “signatures” associated with each piece of known malware.  The signatures for each anti-malware product are usually updated by the vendor on a daily basis.  So, think about this - If your malware signature file is updated every day at 8:00 AM with every piece of known malicious code at the time, what is supposed to protect your computer against a piece of new ransomware released to the Internet at 10:00 AM? 

There is only one answer – YOU.  The actions you take can either activate or block ransomware and other malware forms. 

Most forms of malware must be manually executed to cause harm.  In most cases, this involves you doing something, such as: 

  • Opening an infected e-mail attachment,
  • Clicking a link in an e-mail without vetting the message’s authenticity,
  • Visiting questionable web sites,
  • Inserting a USB key or other removable medium from an unknown, untrusted source into your computer.

The reason I used the phrase “most forms of malware” is that there is an automated way malware can execute – if do not keep your computer software up-to-date with its vendor-supplied security updates, an attacker may be able to execute malware on your system without any further assistance by you.

Preventing Ransomware and Other Forms of Malware

As mentioned earlier, your actions are very important in determining whether or not a piece of malware successfully delivers its malicious payload.  Here are a few tips for tipping the scales in your favor:

  • Always have anti-virus/anti-malware software installed on your system.
  • Keep ALL software on your computer up-to-date.  This includes not only anti-virus/anti-malware/anti-SPAM software, but EVERY piece of software on your system.  If necessary, work with your support person to ensure that your software is up-to-date with the latest security updates.
  • Only open e-mail attachments from known, verifiable sources.  The “From:” field in an e-mail message can be forged, so that e-mail from Aunt Sally could be from anyone.
  • If your e-mail system is protected by SPAM filtering software, any suspicious e-mail message it detects is not delivered to your mailbox, but is sent to a quarantine folder instead.  The SPAM filter will regularly present you with a list of quarantined items being held.  From this list, you can release individual messages from quarantine and have them sent to your mailbox.  While no SPAM filter is perfect, do not indiscriminately release SPAM messages from quarantine.  Only release messages that you are reasonably certain are legitimate. 

    In cases where a specific individual keeps sending e-mail messages that the SPAM filter considers suspicious, you can whitelist a specific sender based upon his or her e-mail address (e.g., ted@somemail.com).  Whitelisting an account causes the SPAM filter to ignore the incoming message and pass it directly to your mailbox. 

    NOTE – While it is possible for you to whitelist all users of a specific, external e-mail system (e.g., *@somemail.com), this practice is discouraged since the risk of a malware infection increases with the number of users you have whitelisted.
  • For any e-mail messages that you receive, filtered or not, do not click on ANY links or attachments contained within the message unless you know:
    • Who the sender is,
    • What the attachment contains or where the link points you, and
    • Why you received the attachment or link.

If you are unsure about any of the above contact the sender to verify.

  • If the e-mail contains a link to a web page and you believe the message is legitimate, you should still verify that the link is taking you to an appropriate site – it is important to remember that the link that is displayed in the e-mail message may not be where the link will take you. 

    Where do you think this link will take you?  http://www.uhcl.edu.  Protect yourself against this kind of link by hovering the cursor over the link using the technique described in the next section.
  • When checking your e-mail or surfing the web, use a computer account that has USER privileges rather than ADMINISTRATOR privileges.  Ransomware and other malware will run with the same permissions as the user who is logged in at the time.  If you are logged in as an administrator on your computer, any malware executed will be able to do virtually anything to your computer.  If you are logged in with USER privileges, the malware will have very limited capabilities and may not even run at all.  Contact your support representative to ensure your system is set up appropriately.  Members of the UHCL community should contact UHCL Support Center at extension 2828 or supportcenter@uhcl.edu to discuss privilege level options. 
  • Back up your system often.  When activated, ransomware will effectively destroy the data on your hard drives and your mapped network shared drives, so taking regular backups is a critical step in ensuring that you will be able to restore your service.  Keep in mind that your data can be destroyed just by a simple electronic failure at any time – It does not necessarily have to be malware doing the damage.

How to Use Your Cursor to Verify a Web Link

The following technique is a method of protecting yourself against misleading links inserted into e-mail, web pages or documents that direct you to a different web site than you expect.

When you want to verify a link (http://www.uhcl.edu), hover the cursor over the link but do not click it.  A message will be displayed in the status line or in a small box or bubble containing the real web address or "URL" that is associated with the link.  The URL displayed in the status line, box or bubble is the site to which the link will actually take you.  The URL displayed in the e-mail message, web page or document is merely text.

Here is what to look for when checking a link.  Focus on the first portion of the URL, between the "http://" and the first slash character "/" (or if there is no first slash character, the end of the URL).  That portion of the URL tells you the name of the computer that is hosting the web page and the organization or "domain" to which it belongs.  Here are some examples to help you interpret the URL values:

  • http://www.uhcl.edu/info-security/basics indicates that the web site is hosted on a UHCL computer because the URL's server name between the "http://" and the first slash after that ends in “uhcl.edu”, UHCL’s domain name.
  • http://www.uhcl.edu also shows you that the web site is hosted on a UHCL computer because there is no slash after the http:// and “uhcl.edu” is at the end of the URL.
  • http://www.uhcl.edu seems to indicate that the web site is in the "uhcl.edu" domain, but when you hover over it, you should be able to see that this link is pointing you to a different domain than expected.
  • http://www.xbadsitex.zzz/uhcl.edu has "uhcl.edu" at the end of the URL, but the value comes AFTER the first slash after the "http://", so it is probably an attempt to trick you.

For further information...

Visit the "Information Security Basics" section of the UHCL Information Security Office web site for additional information about how you can keep your information and systems safe.

 

Anthony Scaturro

Information Security Officer

University of Houston-Clear Lake