8 November 2016

Ransomware at UU

"All the files on our shared O drive were blocked"


"It was a moment of carelessness. I clicked on a link in that e-mail and it turned out to be a very bad link." 

It is June and Daphne (fictitious name, eds.) is working on various official documents. Her children are going abroad for a while and there is a lot to organise. Couriers come to the door with registered post practically every day. So when she saw an email on her smartphone stating that she had not been home when a courier had called, she didn't think it strange. "I noticed an old postcode, so I presumed that they had tried to deliver the package to the wrong address. I wanted to arrange a new delivery appointment. The email said 'Click here' so I did, but a message appeared saying that the page could not be opened on a smartphone. Against all my principles, I opened my private webmail on my UU computer."

All files blocked
Once again, nothing happens when Daphne clicks on the link via webmail. She leaves the email for what it is and continues with her work. The next day a colleague phones her. "She asked if I had perhaps contracted a virus because all the files on the Faculty Office's O:drive were blocked. I immediately thought of that email."

Ransomware attacks
Daphne's colleagues received a message that the files had been encrypted and that they would have to pay to regain access to them. The O:drive contains many shared files, which nobody could now access. They had fallen victim to ransomware. Daphne: "I am always so careful and know quite a lot about this subject. I really do know the do's and don'ts and yet I still clicked on a bad link. My recycle bin is full of these kinds of deleted e-mails. I have even received similar messages from other so-called transport companies and always delete them. Except this one."

The ITS Department's IT Service Desk is notified straight away and traces the virus back to Daphne's PC. ITS makes daily backups, including the O:drive, so once the malicious software had been removed, the previous day's backup could be restored. "My colleagues were somewhat nervous. How much work had they lost? Thankfully, it was not as bad as feared", she says.

Not uncommon
"Unfortunately, Daphne is not the only person this has happened to", explains René Ritzen, Corporate Information Security Officer at the UU. "This situation is not uncommon, and also occurs here at the university. The methods used are ever more sophisticated and it can happen to anyone. Daphne says she is always alert but it only takes one moment of inattentiveness, distraction perhaps, and you fall for it.

Ziggo, T-Mobile, PostNL
Cyber criminals are becoming ever more creative in their efforts to tempt us to click on a (malicious) link or to download (infected) files. At the moment, there are numerous reports of e-mails from ZiggoT-Mobile and PostNL which look so genuine that people fall for it.

There is no single recipe for prevention but, Ritzen explains, there are several things you can do yourself. "Look critically at the e-mail, the destination of the link, the attachment, and the sender. This will often betray a great deal. Be healthily suspicious. If it seems at all suspicious that the party in question should notify you in this way, then it probably is. In Daphne's case, you can also see how opening a private e-mail can also infect your work or study environment, and vice versa.

Daphne has learned her lesson. Would you like to know how you can avoid falling victim to ransomware, or what to do if this does happen? Take a look at the infographic or the info page on ransomware and if you have any questions contact the IT Service Desk.