Protect Yourself! Ransomware Is on the Rise

Syracuse University is experiencing increasing ransomware attacks, in which criminals send email to disseminate malware that encrypts and locks down computers, and then demand the owners pay a ransom to get their data and machines back. We’re not alone. In one case last year, a California hospital suffered a ransomware attack and paid a $17,000 ransom to get its files back.

This March during spring break, hundreds of Portland State University students received an email containing a virus. Several fell victim to this ransomware attack. At least one student’s computer was held hostage and locked down by the attack. His dissertation was out of reach, and he had no backup, so he paid a $600 ransom to rescue his files. Even police departments are ransomware targets.

A report from McAfee Labs predicts the number of ransomware attacks like these will increase in 2016, after almost tripling between 2013 and 2015. The FBI estimates that ransomware will be a billion-dollar business in 2016. The Beazley Breach Insights 2016 report says that colleges and universities are experiencing increased “spear phishing” incidents targeting students, faculty and staff with personalized, legitimate-looking emails with harmful links or attachments. “The relatively open nature of campus IT systems, widespread use of social media by students and a lack of the restrictive controls common in many corporate settings make higher education institutions particularly vulnerable to data breaches,” says the report.

Members of the SU community who follow good security practices are the best defense against ransomware and other threats. In addition, computers that are connected to Active Directory (AD) have the full suite of protections afforded by Information Technology Services (ITS) and have thus far been unaffected. However, there have been infections on systems not connected to AD where SU employees have lost important data.

How to defend yourself and the University

The most effective way to protect your data is to perform regular backups of all critical files to secure storage separate from your computer. In addition to your local drives, keep current copies of all your important documents on your University network drives. Depending on your affiliation, device and software your network drive is labeled:

• Students: Documents; My Documents; homedir; Home Directory; or H:
• Faculty and Staff: Documents; My Documents; homedir; Home Directory; H: or G:

Using your network drive(s) protects your data if your computer and local drives are infected. Even if the ransomware reaches across the network to encrypt files, ITS’s backup strategy for your files stored on the network will allow you to recover any data on G: and H: that was encrypted and locked. But ITS will NOT be able to recover maliciously encrypted data that is stored locally on your computer or external storage devices connected to your computer.

When you’re off campus, there are two ways you can connect to your network drive, DatAnywhere and the Syracuse University Remote Access (SURA) tool:

• Students can download DatAnywhere to their computers, phones and tablets and keep their files at their fingertips and synced across all their devices. See the DatAnywhere for Students page at Answers.syr.edu.
• Students can also download SURA to their Windows computer and connect to their network drive. See the SURA web page for more information.
• Faculty and staff can connect remotely via SURA, which automatically configures a Windows personal computer to connect securely to University resources via a Virtual Private Network (VPN). They may also be able to use DatAnywhere under some circumstances. Contact your local IT support staff to discuss your options.

Equally important is to follow basic information security practices diligently :

• Run up-to-date security and antivirus (AV) software on your devices. AV that’s out of date is no better than no AV at all.
• Keep your system patched and your software updated to minimize the chances that bad guys can leverage software vulnerabilities to install malware.
• Don’t run your computer as an administrative user.
• Don’t click on links you’re not sure of, or download files, music, photos, documents or software from unknown sites.
• Beware of phishing
  • Be suspicious of any email from senders you don’t know or that seems out of character for the sender. Make sure that the sender is actually who they appear to be before clicking on any links.
  • Verify the URL of any link before you click it by hovering your cursor over the link and examining the URL. If you don’t recognize the URL, don’t click it.
  • Never open attachments unless they are from someone you know, or you are expecting them.
  • Delete any suspicious emails, before opening them if possible.
• Back up your data offline. For your University work, take the extra step to use your H: and G: drives frequently. They are backed up every night and can be recovered. Online backup services like iCloud, OneDrive and Google Drive don’t always offer a recovery mechanism and while generally acceptable for your personal data, they are not for University Data.
• External hard drives used to back up your data may not be sufficient as some ransomware will encrypt them along with the computer to which they are connected.

How to know if you’ve been infected

• Typically the ransomware will tell you. All you’ll see on your computer screen will be a window with instructions on how to pay the ransom.
• You won’t be able to access your data, and probably won’t be able to use the computer.

What to do if your device has been infected

• Do not pay the ransom!Criminals may or may not provide the encryption key that will allow you to access your data.
• Immediately shut down your computer. Do not reconnect any offline drives or network shares until you’ve removed the ransomware by erasing your computer and reinstalling software.
• All your hard drives will need to be erased, and your operating system and software applications re-installed on your computer:
  • If you’re on the University faculty or staff, or if it’s a computer owned by Syracuse University, contact your IT support team.
  • If you’re a student, bring your computer, and external hard drives or USBs that were connected when you got the message; the computer’s power cord; and all your operating system and application software media (DVDs, USBs, CDs); and passwords to the ITS Service Center during regular business hours. The Service Center is located just off the Milton Atrium through the double glass doors in room 1-227 in the Center for Science and Technology.
• After your computer and any external drives have been erased and restored, recover your data from your offline backups.

Questions? Need help?

If you have any questions or need assistance, please do not hesitate to contact your local IT support team (if you’re SU faculty or staff) or the ITS Service Center (if you’re a student) at 315-443-2677 or help@syr.edu.