Ransomware

Learn more about ransomware and how it could affect you at UC San Diego.

What is Ransomware?

Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but recently ransoms have been regularly seen to be well over $1 million.

Isn’t Ransomware something that happens only in the papers?

Ransomware is a regular occurrence at every UC campus, including UC San Diego. Most recently UC San Francisco was forced to pay $1.14 million to recover the research data of dozens of faculty. Our neighbor Scripps Health was almost entirely shut down for five weeks due to ransomware. Our own network detection software detects dozens of attempted ransomware attacks every day at UC San Diego.

How does a computer become infected with Ransomware?

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Why is Ransomware so effective?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:

• “Your computer has been infected with a virus. Click here to resolve the issue.”
• “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
• “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

What is the possible impact of Ransomware?

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
  financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

What is UC San Diego doing to protect the campus against Ransomware?

UC San Diego has a number of security protections in place that assist in the fight against ransomware. These include anti-phishing protections, two-factor authentication, and network-based detections and filters. However, the entire UC San Diego network is only as secure as the weakest link, so we provide vulnerability detection and anti-malware software for all University owned equipment at no cost. Researchers would be well served to complete our Cybersecurity Certification for Research initiative and ensure their critical data is backed up and resilient against ransomware.

What do I do to protect against Ransomware?

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

We recommend that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

• Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection. UC San Diego staff should contact their unit technical staff and ask how their work data is backed up.
• Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

• Use the campus provided anti-malware software available at antivirus.ucsd.edu. This software is a contemporary best of breed program that includes a traditional antivirus program when installed.
• Be especially careful when giving visitors or students access to research systems. Require them to complete the lab worker/student/guest attestation form when using their personal equipment to access university systems.
• Use campus email accounts. All campus email accounts benefit from at least two independent layers of phishing and malware protections. 

• Do not follow unsolicited Web links in emails. Refer to the Phishing resources found on this website for more information.

UC San Diego has not authorized the use of University funds to pay ransoms. Nor does paying a ransom guarantee that you will receive your data back. Ransom payments require approval from the Office of the Chancellor.

What do I do if I believe my system has been infected by Ransomware?

Signs your system may have been infected by Ransomware:

• Your web browser or desktop is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file
• In some cases a ransom note may arrive by email
• All of your files may have a new file extension appended to the filenames
• Examples of Ransomware file extensions: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters

How do I respond to a Ransomware infection?

If you believe your system has been infected with ransomware, do not panic, but DO NOT WAIT. Please act immediately, using the following steps to prevent the spread of the infection.

1. Disconnect From Networks

• Unplug Ethernet cables and disable wifi or any other network adapters. 
• Put your device in Airplane Mode
• Turn off Wi-Fi and Bluetooth

This can aid in preventing the spread of the ransomware to shared network resources such as file shares. Enabling wifi or network connectivity even for a moment will allow the ransomware to spread to neighboring devices.

• USB drives or memory sticks
• Attached phones or cameras
• External hard drives
• Or any other devices that could also become compromised

3. Report the Incident

• Contact the campus information security office, by emailing security@ucsd.edu. You may also call the ITS Service Desk who can expedite connecting you with a member of our incident response team: 

• Contact the owner of the equipment (researcher) and your local IT technical support.