Don't let ransomware disrupt or destroy your work

Ransomware is a category of malicious software that is becoming increasingly widespread.  It differs from other kinds of malicious software in that its primary purpose is to render the victim's data files unusable (typically by encrypting them) until a "ransom" in difficult-to-trace virtual currency such as Bitcoin is paid. Organizations all over the world, including hospitals, police departments, and universities, have fallen victim to ransomware attacks. Affected systems to date have included Windows workstations and servers, Macs, linux workstations and servers, unpatched wiki or blog software, Android phones, and any data volumes these devices are able to access (e.g., external hard drives, network drives or file servers).

Protect yourself against ransomware

Backups:

  • Ensure that you have reliable, ongoing backups of your data, and periodically test restoring files from those backups.
  • Ensure backup volumes are not continuously mounted on the system they protect.  Ransomware will encrypt all data on all mounted volumes, including mapped network drives or file shares.


Prevention:

The ways to prevent infection by ransomware are the same good practices that prevent infection by other types of malicious software.  

  • Use an unprivileged (non-admin) account for routine computing, reserving privileged account use for brief situations where elevated permissions are needed (such as for software installation).  IMSS Managed Computing systems are configured this way.
  • Employ a software restriction policy, also called "application whitelisting" where possible.  Microsoft Windows workstation supports application whitelisting as of Windows 7.  IMSS Managed Computing systems are configured this way as well.
  • Configure your computer to display file extensions rather than hiding them as is the default.
  • Windows users: consider setting Notepad as the default application for .js (javascript) files, to open them harmlessly rather than executing them.  This won't affect javascript in the browser.
  • Keep both the operating system and applications up to date on security patches, paying particular attention to browser plugins such as Flash, Java and Silverlight.
  • If you are running a server, keep the operating system and applications up to date on security patches, and pay particular attention to any applications or services that are accessible from the Internet.  Do not overlook content management systems such as Drupal, WordPress, Joomla, etc.
  • Exercise caution when installing new applications.  Where did the installer come from?  Are you sure it does what it claims to do?  Are you sure it was unaltered from the time it was released by the vendor?  To date, ransomware infections on Macs and linux workstations have been in the form of legitimate-seeming software that was tampered with to include malicious code, which was then inadvertently installed by the user.
  • Exercise caution when opening any attachments sent in email.  Do you know with certainty who sent the attachment and what it contains?  If the attachment is unexpected but may be legitimate, verify with the sender first before opening it.  When in doubt, contact the IMSS Help Desk or Information Security.
  • Install antivirus software and keep it up to date.  Note that this measure, while still useful, is not in itself a complete solution, as malicious software such as ransomware is constantly changing in an effort to stay a step ahead of antivirus vendors.  IMSS has site licenses for antivirus software, covering personal-use systems for Caltech personnel in addition to Caltech-owned systems.Ransomware is a category of malicious software that is becoming increasingly widespread.  It differs from other kinds of malicious software in that its primary purpose is to render the victim's data files unusable (typically by encrypting them) until a "ransom" in difficult-to-trace virtual currency such as Bitcoin is paid.  Organizations all over the world, including hospitals, police departments, and universities, have fallen victim to ransomware attacks.  Affected systems to date have included Windows workstations and servers, Macs, linux workstations and servers, unpatched wiki or blog software, Android phones, and any data volumes these devices are able to access (e.g., external hard drives, network drives or file servers).

If Ransomware Infection Has Occurred

If you believe your computer has been infected with ransomware, STOP USING IT right away.  Power it down, and keep it powered down until you can get assistance.  Continuing to use your computer, or even leaving it on while it is infected greatly reduces the chance of recovering your files.  We do not recommend you pay the ransom.
 

References: