Don't let ransomware disrupt or destroy your work
July 05, 2017
Ransomware is a category of malicious software that is becoming increasingly widespread, and has been responsible for some high-profile network outages at sites worldwide in the last few months. It differs from other kinds of malicious software in that its primary purpose is to render the victim's data files unusable (typically by encrypting them) until a "ransom" in difficult-to-trace virtual currency such as Bitcoin is paid. Organizations all over the world, including hospitals, police departments, and universities, have fallen victim to ransomware attacks. Affected systems to date have included Windows workstations and servers, Macs, linux workstations and servers, unpatched wiki or blog software, Android phones, and any data volumes these devices are able to access (e.g., external hard drives, network drives or file servers).
Protect yourself against ransomware
The best defense against ransomware is prevention, using good security practices that protect computers from malware infections of all kinds, not just ransomware specifically.
Backups:
- Ensure that you have reliable, ongoing backups of your data, and periodically test restoring files from those backups.
- Use a backup solution that includes some form of versioning, so that in the event that there is a problem of any kind with the current or most-recently-backed-up copy of a file, a previous version of the file can be recovered.
- Ensure that your backup volumes are not continuously mounted on the system they protect. Ransomware will encrypt all data on all mounted volumes, including mapped network drives or file shares.
Good Security Practices:
The same good practices protect against a wide variety of security problems
- Choose strong passwords for all accounts on your computers. This is particularly critical if you allow remote access to your computer, or ever allow it in the future.
- Keep your operating system and applications up to date on security patches, and pay particular attention to any applications or services that are accessible from the Internet, and browser plugins such as Flash, Java and Silverlight. For campus workstations, consider taking advantage of the IMSS Managed Computing program, which has an excellent security track record. If you are running a server, do not overlook updates for content management systems such as Drupal, WordPress, Joomla, etc.
- If you must allow remote access to your computer, restrict it at the network level so that the service is not accessible from just anywhere on the public internet.
- Use an unprivileged (non-admin) account for routine computing, reserving privileged account use for brief situations where elevated permissions are needed (such as for software installation). IMSS Managed Computing systems are configured this way.
- Employ a software restriction policy, also called "application whitelisting" where possible. Microsoft Windows workstation supports application whitelisting as of Windows 7. IMSS Managed Computing systems are configured this way as well.
- Configure your computer to display file extensions rather than hiding them as is the default.
- Windows users: consider setting Notepad as the default application for .js (javascript) files, to open them harmlessly rather than executing them. This won't affect javascript in the browser.
- Exercise caution when installing new applications. Where did the installer come from? Are you sure it does what it claims to do? Are you sure it was unaltered from the time it was released by the vendor? To date, ransomware infections on Macs and linux workstations primarily have come in the form of legitimate-seeming software that was tampered with to include malicious code, which was then inadvertently installed by the user.
- Be careful when opening links and attachments received via email. Do you know with certainty who sent the attachment and what it contains? If the attachment is unexpected but may be legitimate, verify with the sender first before opening it. When in doubt, contact the IMSS Help Desk or Information Security either via our ticket system or by email (security at caltech.edu or help at caltech.edu).
- Install antivirus software and keep it up to date. Note that this measure, while still useful, is not in itself a complete solution, as malicious software such as ransomware is constantly changing in an effort to stay a step ahead of antivirus vendors. IMSS has site licenses for antivirus software, covering personal-use systems for Caltech personnel in addition to Caltech-owned systems.
If Ransomware Infection Has Occurred
If you believe your computer has been infected with ransomware, STOP USING IT right away. Power it down, and keep it powered down until you can get assistance. Continuing to use your computer, or even leaving it on while it is infected greatly reduces the chance of recovering your files. We do not recommend you pay the ransom.
References:
- US CERT advisory on ransomware
https://www.us-cert.gov/ncas/alerts/TA16-091A - Applocker (supported for Windows 10 workstation)
https://technet.microsoft.com/en-us/library/dd759117.aspx - Software restriction policy (supported for Windows workstation versions Vista, 7 and 8)
http://mechbgon.com/srp/ - Site-licensed software, including Symantec Antivirus and Microsoft Forefront
http://imss.caltech.edu/software - Good general information from Sophos on ransomware
https://news.sophos.com/en-us/2017/06/23/ransomware-families-and-how-to-fight-them/