Last year, University of Delaware Information Technologies (IT) reported that CryptoLocker, a form of ransomware, had infected computers on campus. In a recent UDaily article, UD IT confirms that a newer form of ransomware, CryptoWall, has appeared on campus. So far, at least four UD computers have been attacked by this persistent malware.
But first things first, what’s ransomware? Put simply, ransomware is a form of malicious software that, once downloaded, encrypts all files on the victim’s computer and demands ransom in order to decrypt the files.
Ransomware is often delivered as a Trojan, hiding in seemingly innocent attachments and files; however, it can also be downloaded just by viewing malicious or infected websites.
Ransomware is easy to identify because it confronts the victim with a prompt for payment. It can be tricky to address. Under no circumstances should the victim pay the ransom. There is no guarantee that files will be decrypted, or that, once decrypted, files will be safe from repeated attack. In many cases, ransomware destroys some of the files it encrypts.
CryptoWall is similar to CryptoLocker; it’s a little simpler, but it’s more robust. There’s no easy way to remove an infection and resume normal computing, so it’s important that you follow safe computing practices to prevent infections and minimize damage. Such practices include backing up all of your files, checking links and attachments for legitimacy and safety, and updating all of your software continually.
CryptoWall can afflict both Windows and Mac systems. Dell SecureWorks has released a helpful document detailing CryptoWall’s attack patterns and effects.
CryptoWall is being distributed over the Internet through a number of methods:
- Malicious email attachments;
- Exploited browsers or websites; and
- Download links claiming to point to faxes, invoices, or other documents on file-hosting Web sites such as Dropbox.com and MediaFire.
The MSISAC Center for Internet Security warns that many malicious CryptoWall emails originate from “spoofed” email accounts. Spoofing is a process by which a hacker or con artist impersonates a legitimate sender’s email address in order to trick victim. Always verify the sender of an attachment, and be extremely cautious about opening attachments you didn’t request or weren’t expecting.
MalwareExperts.com identifies that some of the CryptoWall infections come from fake flash player updates and other malicious notifications. Be sure to keep your software updated, but only download updates directly from the manufacturers of your software. For example, don’t download Adobe updates from any site that isn’t Adobe’s own.
UD IT recommends that users back up their files regularly so their work is still accessible if their computer is compromised by ransomware or another kind of attack. In the worst-case scenario, backups may be the only way for people to regain access to their files. Instructions for backing up Windows and Macintosh computers are linked below.
- Windows instructions (from Microsoft)
- Macintosh instructions (from Apple)
UD IT recommends that members of the UD community also follow these best practices to help prevent ransomware attacks from affecting their computers:
- Update the computer’s McAfee anti-virus software. (The version downloadable for members of the UD community is configured to update automatically.)
- Update the computer’s operating system.
- Update all software on the computer, especially software often targeted by hackers: Microsoft Office, Adobe products, Mozilla FireFox and Thunderbid, Internet Explorer, and Java.
- Be cautious about what email attachments you open.
- Be cautious about what websites you visit.
- Do not download and install unfamiliar software, even if its maker claims it will prevent ransomware. Often, malware distributors trick people into downloading “special anti-virus software,” but the downloaded software is actually the malware itself.
For more information and assistance, contact departmental or college IT staff or contact the IT Support Center.