Ransomware

Ransomware is often instantly recognisable, for instance because:

• access to your browser, or even your computer, is blocked;
• you see an image with the message that your documents have been encrypted and a manual for buying a decryption key using bitcoins (or by paying a fine on a fake law enforcement website);
• document icons on your desktop turn white and get a strange extension (for instance, pipi.docx becomes pipi.docx.crypt)

Broadly speaking, the methods used by cybercriminals are the following.

1. A piece of software is installed on your computer, often without you noticing. The software is executed automatically, for instance when your computer reboots, which results in one or more files or even your whole computer being blocked.
2. This kind of malicious software can find its way to your computer if you open an unsafe link (on a website or in an email), through online advertisements, email attachments or legal or illegal downloads. Ransomware can also get onto your computer through software you’ve already installed, such as Flash, JavaScript or your browser. But this is only possible if hackers find a loophole in the software. Malware takes advantage of software that’s not up to date, so make sure you always have the most recent versions installed.

Ransomware is popular among cybercriminals. They encrypt your device and files, and only allow you access upon payment of a ransom. Watch out for ransomware, at home and at work.

Make sure you make backups

How to avoid losing files? Make sure you have backups (and store them somewhere safe). This is always a sensible step to take. If you are affected by cryptoware, in particular, backups are often the only way to recover your files. The ITS Department makes daily backups of the O: and U: drives and of university systems such as SAP, Blackboard, email and Osiris. Ask your faculty's IT contact person whether and how the faculty systems are being backed up. Back up other data yourself.

Preventive measures

You can do a lot yourself to avoid ransomware affecting you or those around you. The following are the most important guidelines to follow.

• Be wary of suspicious emails. For instance, if you don't know the sender or don't expect an email from them. If you receive a fraudulent email, NEVER CLICK the attachment or ANY LINKS in the text. Recognise the signs.
• Use a good virus scanner. Configure it to update its virus definitions at least once a day.
• Use a firewall on your computer.
• Keep the operating system (Windows, OS X, etc.) up to date. This also applies to other software such as browsers, Adobe Reader and browser plug-ins (including Adobe Flash and Java).
• Programs such as Java and Adobe Flash are less safe. Try not to use them. You can get information about this at the UU's IT information desks.
• Be wary of suspicious emails.
• Cryptoware is usually an executable (.exe) file hidden in a different file type, such as an image (.jpeg, .jpg, etc.) or a text file (.doc, .docx, .pdf, etc.).
• If you unexpectedly get the message 'Do you want to allow the following program to make changes to this computer', choose No.
• For your daily tasks, use a normal user account rather than an account with administrator rights.
• If you are logged in as an administrator, you have all the rights to make changes to the system and ransomware exploits this by using the rights with which you are logged in. It is therefore safer to carry out your day-to-day tasks logged in to a normal user account.
• With Mac OS (Apple) and Linux you run less of a risk. However, these systems can also be infected.
• Be wary of suspicious emails. (It can't be said often enough!)
• Do not open attachments in emails from unknown senders or senders you are not expecting emails from.

These measures will help prevent you from being hacked. No guarantees can be given, but they can certainly limit the headaches and damage.

Take the following steps straight away: Pull the network cable out of the device. Switch the device off immediately. Close the screen. Pull the plug. Or keep the ON/OFF button pressed down 4 to 5 seconds. It is better not to log off the proper way. Rather, switch the device off straight away.

Immediately get help by calling the IT Service Desk on 030 253 45 00.

Act quickly in order to avoid a great deal of damage. Make sure the malware gets removed so you can resume work on a safe device. Call the ICT Service Desk for more information. One of the recommendations you will be given is to change your password(s).

If you have to restore from a backup, only do so once you're certain there is no malware left on your device.

As of the spring of 2016, the greatest risk is caused by the extension .js. This malware has a typical icon containing an s. If you run this locally, it is done with local rights (including admin) and no longer in the browser's 'sandbox'.

Some ransomware comes as other types of executable script:

• .scr is an executable;
• .docx / .docm / .xlsx files requesting to run macros;
• cryptoware is usually an executable (.exe) file hidden in a different file type, such as an image (.jpeg, .jpg, etc.) or a text (.doc, .docx, .pdf, etc.). Set Windows to show file extensions so you can see, for instance, if an image is really a .jpeg or is actually an .exe.