Loyola University Maryland

Technology Services

Ransomware

image divider

What's Ransomware?

Ransomware is a type of malware that holds information hostage in an attempt to extort money for its release. This type of malware has grown in sophistication and will now completely encrypt all files on your computer and network drives. In many cases, these files cannot be retrieved. Most commonly, a ransomware installation package is sent using a benign-looking email, where the malicious code is embedded in the file and will be executed when the file is opened. Another scenario involves hacked internet websites, requiring only that a user visit a site where the malware is embedded on the site itself and is downloaded when you click on a link on that site.  In either case, once activated, the malicious installation package deploys an executable that installs the ransomware and begins the encryption process, starting with local files and spreading to any available remote- or network-connected resources. 

How does Ransomware spread?

Ransomware is typically spread through phishing emails that contain malicious attachments. These emails appear to come from a legitimate source and give a compelling reason that the document is important. Malicious attachments are often PDF,  ZIP, DOC, XLS, PPT files that appear as invoices, legitimate business documents, or other work-related files.  In some cases, Ransonware may end up on your computer by visiting infected web sites. To avoid malicious drive-by downloads, ensure that antivirus and all installed software is up-to-date.

What does Ransomeware do?

Once ransomware has been installed on a computer, it will encrypt files on the computer as well as data on files servers (G:\ and H:\ drives). Once it has finished encrypting files, a message will be displayed for the user with instructions for retrieving lost files. In some cases the message will imply that the FBI, US Department of Justice, or some other government agency encrypted your files due to illegal activity. In other cases, the criminals will state up-front that they have illegally encrypted your files and the only way to retrieve them is by paying the ransom.

What should you do if your system is infected?

Loyola-Issued Device

The first thing to do immediately is to disconnect your network connection for the computer (either pull out your network cable from the back of your computer or disconnect from your wireless connection).

Once you have disconnected your computer from the network, either contact the Help Desk at x5555 or Patricia Malek at 443.677.5670 / 410.617.5513.  Please remember contacting us immediately limits the destructive impact of the infection.   

Non-Loyola Issue Device

If a personal machine is infected, follow the steps below:

  • Restart your computer and turn off all network access by unplugging the ethernet cable on a desktop or flipping the wireless switch to the “off” position on a laptop.
  • Boot in safe mode. Safe mode can enable an antivirus program to remove the infection.
  • Search online for the type of ransomware infecting your machine and the best ways to remove it. There may be programs available for older ransomware that can help decrypt files.
  • Reload the operating system if all important documents have been backed up. Some anti-malware programs can remove infections; however, viruses can hide in system files, making them invisible to these programs.

Unfortunately, anyone communicating with the perpetrators are dealing with criminals.  Even if you pay the ransom, there is no guarantee that they will send you the key, that the key will work, or that they will not install additional malware that will re-encrypt at a later time. So, if this type of attack affects your personal, non-University-owned computer and files, we strongly discourage your from meeting their terms, or even responding at all.

If the device that is infected is a University computer, you must NOT under any circumstances interact with the perpetrators using that or any other University-owned device. Such action could put the University’s information and systems at significant risk, and could result in severe financial and reputational loss for the University. 

Under NO circumstances should you follow any provided links or contact the criminals by email. Loyola will become a high priority target if any interest is shown in recovering encrypted files.

Shouldn't our anti-virus software and the SPAM filters catch ransomware and other malware?

Most of the time, they do!  Every day hundreds of thousands of possible SPAM e-mail messages are detected and quarantined.  But anyone who releases messages from quarantine indiscriminately runs a significant risk of bringing the malicious software to his or her computer even after it has been detected.

The SPAM filtering software used at Loyola allows users to release individual messages from quarantine, to whitelist specific senders based upon their e-mail address, or to whitelist all users of an external e-mail system.  When an e-mail address is whitelisted, no e-mail message from that account will ever be quarantined.  While configuring your SPAM filter to whitelist individual e-mail senders (e.g., someone@somemail.com) can be useful, we discourage the whitelisting entire e-mail services, e.g., *@somemail.com, since the risk of malicious SPAM being sent by any user of a large e-mail service is much far greater than the risk for one of a small number of individually whitelisted users.

Once the e-mail is received, if the recipient activates the malware by clicking on an attachment or link, the anti-virus software MAY detect and disable the malware.  But it may not!  Why?  Because anti-virus software can only detect malware that is known to the anti-virus software at that moment.  If a new virus is written right now, it will take at least a day for the anti-virus software to catch up, so within that day long time period or more, the new virus will NOT be detected.  That is why our actions are so important.

How do you avoid getting this form of malware and others?

  1. Trust that the e-mail SPAM filters are detecting suspicious and potentially dangerous e-mail messages.  No SPAM filter is perfect, but don’t indiscriminately release SPAM messages from quarantine.  Only release messages that you are reasonably certain are legitimate.  If you whitelist e-mail accounts in your SPAM filter, whitelist individual e-mail accounts (e.g., someone@somemail.com) rather than entire e-mail services (e.g., *@somemail.com).   
  2. Never click on pop-ups.
  3. Ensure OS and browser(s) are up to date and/or patched.
  4. Maintain an active, up-to-date firewall software.
  5. Never respond to spam emails.
  6. Do not click on ANY links or attachments in any e-mail unless you know:
    ◦ Who the sender is,
    What the attachment contains or where the link points you, and
    Why you received the attachment or link.
  7. If you are unsure about any of the above contact the sender to verify.
  8. If the e-mail contains a link and you believe the message is legitimate, you should still verify that the link is taking you to an appropriate site – it is important to remember that the link that is displayed in the e-mail message may not be where the link will take you.  Protect yourself against malicious links by hovering the cursor over the link to identify the website.
  9. Set up your user account to have USER privileges, NOT ADMINISTRATOR privileges.  Ransomware and other malware runs with the same permissions as the logged in user.  If you are logged in as an administrator on your computer, the ransomware will be able to install its malicious software and do ANYTHING to your computer.  If you are logged in as a USER, most malicious software will have very limited capabilities and may not even run at all.  

Back up your system often.  There have been reports where the ransomware encrypted not only the computer's internal hard drive but also an attached, external drive that contained personal documents, pictures, etc.  Backing up those personal files is your responsibility.  Remember, data can be destroyed just by a simple electronic failure at any time – It doesn’t necessarily have to be malware doing it.