Over the last few days, VT faculty and staff have received email messages with subject lines such as "Missing payments for invoices”. These emails contain malicious attachments that encrypt local system files as well as files on shared network drives. After the files have been encrypted, users are then prompted to purchase a password from cyber-criminals in order to decrypt them.
Here are some technical steps to mitigate this threat:
- Configure computers to use the ITSO's Secure DNS. These DNS resolvers obtain ransomware feeds daily and will block network connections to known cryptolocker hosts. For more information, please see:
- Ensure that you have good backups that can be restored quickly and use the DoIT's NAS to store important data. The NAS has read-only snapshots that ransomware cannot encrypt.
- Deploy granular file system and share permissions on network file shares. This isolates and limits the damage to only certain file paths. For example, employees in 'Accounting' typically should not have access to 'Marketing' files or 'Academic' files located in the same share.
Ransomware and cryptolockers are on the rise. If you fall victim, follow our cryptolocker incident response diagram and report any and all potential PII data disclosures to the IT Security Office. Also, be aware that some forms of ransomware can be decrypted and several antivirus companies offer free decryption tools.
Finally, if you are unable to recover your files, do not pay the ransom. Contact the ITSO for further guidance.