Ransomware

As viruses and malware continue to evolve with the changing technology landscape, a new form of virus has hit millions of individuals in the past year. Ransomware is a type of destructive malware that can affect the files on your hard drive and mapped network drives by encrypting your files. Following encryption, the user is presented with a warning and asked to pay a ransom to receive the key to decrypt their files again.

Some of the more popular types of ransomware include Cryptolocker, CryptoWall, TorrentLocker, Locky, and Reveton.

When did it begin?

In October 2013, a new virus surfaced primarily known as Ransomware that is a destructive attack to files on your system. Ransomware is typically transferred by email, appearing as an important document or program from a reputable source (e.g. your bank, a shipping company, or even your employer). The virus can also be acquired by going to unknown websites that may appear to be legitimate organizations. After communicating with a remote server, it generates a unique key for your computer and begins encrypting all common file types (such as .doc, .pdf, .html). After encryption has finished, a ransom request is then displayed requesting the user to pay for the key needed to decrypt their files within a limited time frame.

What is UBC doing?

UBC regularly monitors its IT operations and update systems to protect against threats, such as ransomware and more. In addition to ensuring we have up-to-date anti-virus software in place, our team monitors systems for threats and trends that may impact on the university community. Sophos Anti-Virus, the campus-supported solution, protects against threats such as ransomware, as well as other viruses and malware.

Departments that utilize the UBC Mail Relays automatically filter all incoming messages that contain viruses detected by Sophos. FASmail and Student & Alumni Mailbox users are automatically protected by the mail relay filters.

If you are a system administrator looking for technical information on how to protect your department, please click here.

What you can do

Anti-Virus

The most important thing is to remain vigilant of internet attacks. All members of the UBC community are eligible for Sophos Anti-Virus software, which protects against threats such as Ransomware. As viruses are constantly evolving, you should always ensure your anti-virus software updates its definitions regularly to protect against new threats.

In addition to Sophos protection, CryptoPrevent is a free software designed to prevent ransomware from encrypting files in the event the malware is triggered. Download information can be found at the CryptoPrevent homepage. Please contact your department's IT helpdesk for more information on how this may affect you.

Email Attachments

Never open attachments from suspicious individuals or messages with files that seem misleading. This virus in particular is known to disguise itself as a common PDF document by adding "PDF" in the file name. For more information on how to protect yourself against email attacks, please read our guide to email security.

Any suspicious emails or phishing attempts should be reported to the IT Service Centre by contacting security@ubc.ca. When reporting messages, please include the full email headers and any attachments.

Hosted Storage

If you are an eligible UBC faculty or staff member, we encourage you to save all documents on the Home Share Drive, TeamShare, or Workspace services. These services are routinely backed up in a secure environment and as they do not reside on your computer, are better protected against malware. All users are also encouraged to routinely backup incidental personal files onto a separate drive (such as an external hard drive or USB key) that is kept separate from your desktop and/or share drive.  If your backup files contain Personal Information, we recommend also encrypting the data and storing it in a secure location. In many cases, backups are the only solution to repairing files infected with ransomware.

Security Patches

The latest security patches should be applied to prevent vulnerability from cybercriminals. This includes security patches for operating systems, applications such as Java, Adobe products like Flash, Adobe Reader, browsers like Internet Explorer, Chrome, and any custom applications.

For more information

Technical Information

As previously communicated, a form of malware known as ransomware has been infecting computers with a virus that encrypts user files and demands a ransom payment for decryption to occur. Large organizations such as UBC are susceptible to such attacks and network administrators should be aware and proactive about protecting workstations.

Please evaluate your environment and follow best practices to ensure that users are informed and computers are secured.

Virus-Protection

The first line of defense against all malware, including ransomware, should be Sophos Endpoint Anti-Virus software. The enterprise license allows the software to be installed free of charge on all UBC-owned and personal devices for faculty, staff, and students. While having protection is important, it is also important to ensure that devices are connected to Sophos to receive updated virus definitions regularly.

In addition to Sophos protection, system administrators may recommend additional software, such as CryptoDefense, to secure workstations. It is important to analyze the impact of this software on systems before installing on devices. CryptoDefense works by creating stringent registry monitoring and may block common executable files from opening correctly. Furthermore, if the user does not have administrative privileges, it could require authentication to proceed with any new installations or updates.

Group Policy Updates

Similar to solutions such as CryptoDefense, departments utilizing active directory can enable group policy objects to restrict ransomware such as CryptoLocker from installing and modifying the registry. Enabling a GPO can be more efficient than individually installing CryptoPrevent on workstations due to its remote editing capabilities. It is important for directory administrators to evaluate all policy objects and their actions on existing and future computer usage. By placing restrictions on the registry, software such a Google Chrome and Microsoft Office may not be able to automatically download updates without administrator intervention. For information on how to apply a GPO into your active directory instance, please read Third Tier's guide regarding installation and exception handling.

Administrative Privileges

In order for the CryptoLocker software to properly function, users must have administrative user rights to their workstation. By limiting the privileges of user accounts, the risks of malware infection are significantly minimized. For users who require administrative privileges, we recommend creating separate user accounts with enhanced access levels. These administrative accounts should only be used when necessary, mitigating risk based on user access rights.

Procedure for infected workstations

If a workstation has been infected with a ransomware, immediately disconnect the unit from network connections, both wired and wireless. Users should immediately report their workstation as compromised to UBC IT Information Security by calling 604.822.6141 or emailing security@ubc.ca. An IT security specialist will assist with cleanup of drives, investigation, and potential recovery of files.