Don't Let Ransomware Disrupt or Destroy Your Work

Ransomware has been responsible for high-profile outages in the last few years.  Organizations all over the world, including city governments, hospitals, police departments, major corporations, and universities, have fallen victim to ransomware attacks.

What is ransomware?

Ransomware is a category of malicious software that is becoming increasingly widespread.  Its primary purpose is to render the victim's data files unusable (typically by encrypting them) until a "ransom" in difficult-to-trace virtual currency such as Bitcoin is paid. 

Affected systems to date have included Windows workstations and servers, Macs, linux workstations and servers, unpatched wiki or blog software, Android phones, and any data volumes these devices are able to access (e.g., external hard drives, network drives or file servers).  A ransomware incident affecting a lab computer can be extremely disruptive, and may result in loss of research data.

Protect yourself against ransomware

The best defense against ransomware is prevention, using good security practices that protect computers from malware infections of all kinds, not just ransomware specifically.


Backups

  • Ensure that you have reliable, ongoing backups of your data, and periodically test restoring files from those backups.
  • Use a backup solution that includes some form of versioning, so that in the event that there is a problem of any kind with the current or most-recently-backed-up copy of a file, a previous version of the file can be recovered.
  • Ensure that your backup volumes are not continuously mounted on the system they protect.  Ransomware will encrypt all data on all mounted volumes, including mapped network drives or file shares.
  • Caltech has a site license for CrashPlan, a cloud-based backup service.

Keep current on updates

  • Keep your operating system and applications up to date on security patches, and pay particular attention to any applications or services that are accessible from the Internet, as well as browser plugins such as Flash, Java and Silverlight. 
  • For campus workstations, consider taking advantage of the IMSS Baseline Software Update Service to automatically keep current on patches and updates, or the full-service IMSS Managed Computing program, which has an excellent security track record. 
  • If you are running a server, do not overlook updates for content management systems such as Drupal, WordPress, Joomla, etc.

Restrict remote access

Other ways to protect your computer

  • Use an unprivileged (non-admin) account for routine computing, reserving privileged account use for specific situations where elevated permissions are needed (such as for software installation).  IMSS Managed Computing systems are configured this way.
  • Employ a software restriction policy, also called "application whitelisting" where possible. Microsoft Windows workstations support application whitelisting as of Windows 7. IMSS Managed Computing systems are configured this way as well.
  • Exercise caution when installing new applications.  Where did the installer come from?  Are you sure it does what it claims to do?  Are you sure it was unaltered from the time it was released by the vendor?  Ransomware infections on Macs and linux workstations in particular often come in the form of legitimate-seeming software that was tampered with to include malicious code, which was then inadvertently installed by the user.
  • Be careful when opening links and attachments received via email.  Do you know with certainty who sent the attachment and what it contains?  If the attachment is unexpected but may be legitimate, verify with the sender first before opening it.  When in doubt, contact the IMSS Help Desk or Information Security either via our ticket system or by email (help at caltech.edu or security at caltech.edu).
  • Install antivirus software and keep it up to date.  Note that this measure, while still useful, is not by itself a complete solution, as malicious software such as ransomware is constantly changing in an effort to stay a step ahead of antivirus vendors.  IMSS has site licenses for antivirus software, covering personal-use systems for Caltech personnel in addition to Caltech-owned systems.
  • Windows users: Configure your computer to display file extensions rather than hiding them, as is the default, and consider setting Notepad as the default application for .js (javascript) files, to open them harmlessly rather than executing them.  This won't affect javascript in the browser, which is normally the only place where you would want javascript to execute.

If ransomware infection has occurred

If you believe your computer has been infected with ransomware, STOP USING IT right away.  Power it down, and keep it powered down until you can get assistance.  Continuing to use your computer, or even leaving it on while it is infected, greatly reduces the chance of recovering your files.

Contact the IMSS Help Desk or Information Security either via our ticket system or by email (help at caltech.edu or security at caltech.edu). 

We do not recommend you pay the ransom.
 

References:

US CERT advisory on ransomware
https://www.us-cert.gov/ncas/alerts/TA16-091A
Applocker (supported for Windows 10 workstation)
https://technet.microsoft.com/en-us/library/dd759117.aspx
Software restriction policy (supported for Windows workstation versions Vista, 7 and 8)
http://mechbgon.com/srp/
Site-licensed software, including Symantec Antivirus and Microsoft Forefront
http://imss.caltech.edu/software
Good general information from Sophos on ransomware
https://news.sophos.com/en-us/2017/06/23/ransomware-families-and-how-to-fight-them/
A useful guide for thinking about computer and network security in relation to research projects
http://trustedci.github.io/OSCRP/