Skip to content

Ransomware

Ransomware is a type of malware that infects systems and locks the system or encrypts files located on the systems or connected network shares.  The users are often extorted for money via an on-screen alert. The notification typically states that they user's system has been locked or the files encrypted and that they must pay a specific dollar amount, frequently ranging from $200-$400, via a virtual currency for access to be restored.

Widely known variants of ransomware:
Xorist, CryptorBit, Locky, Cerber, Cryptolocker, and SamSam (a.k.a. MSIL/Samas.A).

How is ransomware installed?
Ealier versions of ransommware, such as CryptoLocker,  were dependant on a user to open on malicious attachments from phishing emails and would sniff out and encrypt specific file types on the user's system.  

Current versions can infect systems via drive-by downloading, through social media (such as Web-based instant messaging applications), or from exploits being uploaded via vulnerable Web servers. 

Impact
Ransomware can find and encrypt files located on local drive and attached drives, such as USB drives, shared network drives, external hard drives, network file shares, and even some cloud storage drives.  Not only can this affect the files of the user, but it could affect the files of an entire department if the files on a shared network resource are encrypted.

Prevention
US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

What to do if you are infected
Turn off your computer and disconnect it from the network.
Contact IT Service Desk.