By Leila Sharma
Ransomware is malware that tricks users into installing itself on their devices. Ransomware scams most commonly occur via email social engineering scams, a/k/a phishing scams. In ransomware attacks, malware encrypts a user’s files and requests ransom payment, often in bitcoin, to unlock the files and restore encrypted content to users. Payment, however, does not always guarantee receipt of the encryption key or successful restoration of corrupted files.
Ransomware scams commonly arrive as emails or web pop-ups which invite users to click an embedded link or open an attachment and enable Macros. These actions will trigger the installation of the ransomware. Once it has been installed, users will usually receive an onscreen message alerting them that their computer is locked and/or their files are encrypted, and that payment is due within a certain time-frame or their encrypted data will be deleted.
What is the best defense against ransomware? The answer is twofold:
- Prevention is ideal, and quick action if infected is a must.
- Please see the NYU ServiceLink knowledge article entitled Security Education: Recognizing phishing scams and protecting yourself online for tips on detecting suspect messages and thereby avoiding ransomware.
- To view sample ransomware messages, please see the following posts on the IT Security News & Alerts Blog:
- If infected, immediately disconnect your computer from NYU-NET (to prevent the ransomware from spreading), and report the infection by contacting the NYU IT Service Desk, and also contact your local IT admin if you have one.
- Regular backups to external drives/devices are essential.
- After disconnecting your device from NYU-NET and alerting the NYU IT Service Desk and your local IT admin of the issue, wipe your device and restore its content from backups. Please check any mounted devices or synchronized systems you use (such as NYU Box or DropBox) prior to the restoration from backups to ensure that ransomware did not spread to these files. Additionally, do not leave backup devices mounted following the completion of either the backups or restoration, otherwise such devices are also vulnerable to encryption in the event the main device gets encrypted by ransomware. It is also recommended that you regularly check that your backups are working and that you can recover the files you need.
Ransomware takes a variety of forms. In addition to the Locky variant referenced above, there are at least 16 additional variants of ransomware which have been identified over the past two years, including one claiming to be from law enforcement and demanding payment for illegal cyber activity (for more information, see this PDF on the Symantec website). An added twist to the ransomware landscape is ransomware that not only demands a payment but also threatens disclosure of all files on your device to all of your contacts. This type of ransomware has been dubbed “Jigsaw.” For more information on Jigsaw, see the ArsTechnica website.
The following are additional recommendations respecting the avoidance of ransomware and attack recovery:
- Perform updates (e.g., patching) of your device, browser, and applications regularly to avoid being vulnerable to “drive-by download.” attacks. Drive-by download refers to a program downloaded onto your device without your knowledge or consent. In these attacks, if a computer is not fully patched, malware often gets installed.
- Do not leave your computer permanently attached to cloud or external storage. Malware designed to encrypt or corrupt files on your computer will do the same to files your computer can access in the cloud.
- Whenever possible, use a standard account on a computer that has limited privileges, rather than privileged accounts such as “administrator” or “root”. This provides an added layer of protection and prevents many types of malware from installing.