Ransomware is a category of malicious software that renders the victim's data files unusable by encrypting them until a "ransom" has been paid. Ransomware has been responsible for high-profile outages in the last few years. Organizations all over the world, including city governments, hospitals, police departments, major corporations, and universities, have fallen victim to ransomware attacks. A ransomware incident affecting a lab computer can be extremely disruptive, and may result in loss of research data.
Protect yourself against ransomware
Backup important data
Effective backups are the best protection against loss of data caused by ransomware. Ensure that reliable and ongoing backups of all important data are in place. A ransomware attack renders your important data completely unusable. If you have an effective backup solution in place, recovering from a ransomware attack is fairly simple. See Backup Guidelines for more information.
Keep software up to date
Malicious software often takes advantage of security flaws in common programs and operating systems. These flaws are routinely discovered and fixed in updates. To make sure your devices stay protected, keep the programs you use and the operating systems on your devices up to date when new updates become available.
Restrict remote access
Improperly secured remote access is one way that ransomware can infect a computer. If you allow remote access to a computer, make sure you understand the security implications. Choose strong passwords and limit access at the network level. Consider implementing multi-factor authentication for remote access. Don't use more than one method for remote access. See Remote Access Guidelines for more information.
Limit usage of lab computers and instrument controllers
Shared lab computers and instrument controllers are often configured in a way that makes them more vulnerable to attacks. To limit exposure, use these systems only for their intended purpose. Do not use them for web browsing, email, or other functions. See Lab and instrument controller security for more information.
Use Caltech-provided email services
Email continues to be the primary method by which scams and viruses, including ransomware, are introduced into the campus environment. IMSS does not recommend forwarding your Caltech mail offsite. Your Caltech Office 365 mailbox is protected by a variety of email security features and technologies. If you forward your email, you lose many of the benefits that our mailbox protection tools provide, since these tools won't be able to act on malicious messages that have been delivered to an offsite mailbox. IMSS also will not be able to proactively monitor access to your mailbox for anomalous activity, and in the event of a security incident involving your mail or access to your mailbox, we will have very limited ability to assist you in determining what happened.
What to do if a ransomware infection has occurred
Immediately power off the infected system
Leaving the infected system running reduces the chances of recovering files. Power the system off completely and leave it off until you can get assistance.
Contact IMSS for help
Send an email to email@example.com or call the Help Desk at x3500 or 626-395-3500 during business hours.
Eliminate the infection and restore data if possible
Recovery will typically involve rebuilding the infected computer (re-installing the operating system). If the affected data was backed up properly, it can be restored to the rebuilt system. If the affected data was not backed up, it will probably not be recoverable. In some cases, particularly with older strains of ransomware where the encryption was not implemented properly, there may be decryption tools available. IMSS can help determine if this is an option, but often it is not.
Do not pay the ransom
IMSS recommends not to pay the ransom. There is no guarantee that paying the ransom will restore your lost data. And even if it does, when criminals observe your willingness to pay they are more likely to target you again.
Tools designed to help determine what type of ransomware a system has been infected with
Protecting against ransomware
More information about preventing ransomware infections
UC CERT Advisory