October is Cyber Security Awareness Month (CSAM), which aims  to educate the campus community on ways to better protect themselves and their devices from unauthorized intrusions or cyberattacks. This week we will focus on ransomware.  

What is ransomware?

Ransomware is a type of malicious software (a.k.a malware) that locks the victim out of their computer or files – most often by encrypting them – until a ransom is paid. The ransomware typically displays a message letting the victim know that they have been locked out, along with instructions for how much to pay and directions on how to pay, typically with Bitcoin.

Ransomware is often spread through the use of stolen credentials, malicious links, and harmful attachments in emails; however, these are not the only delivery mechanisms. Other sources include malicious applications and files, and adware/spyware.

If it seems like ransomware is all over the news lately, it’s because it is. A recent survey of IT professionals by Sophos found that 44% of educational and 34% of healthcare institutions were hit by ransomware in 2020.  

Not only is the number of attacks going up exponentially, but the amount of money extorted per attack is also increasing. According to the National Security Institute, the average ransomware fee has gone from $5,000 in 2018 to $200,000 in 2020. Some additional sobering statistics include:

  • Ransomware attacks against universities increased by 100% between 2019 and 2020 and are now the Number 1 Cyber Threat facing Higher Education (BlueVoyant, 2021)
  • Since 2020, 1,681 higher education facilities have been affected by 84 ransomware attacks (Emsisoft, 2021)
  • Ransomware attacks against U.S. healthcare providers have caused over $157 million in losses since 2016 (HIPAA Journal, 2020)

Ransomware targets range from home users to corporate networks, and are evolving.  It’s no longer just about encrypting your data; cybercriminals also threaten to divulge sensitive and confidential information, and recently have targeted software manufacturers to create supply chain infections. The recent ransomware attack on Colonial Pipeline created a multi-day shutdown that caused panic buying and the highest gas prices in seven years. 

To pay or not to pay?

It is important to note that these are criminals. There are no guarantees that you’ll get access to your computer or files back if you pay the ransom or that the criminals will delete their copies of your files. The FBI and law enforcement advise never paying the ransom because it encourages the criminals to continue committing crimes.  However, if the impact of losing the files could potentially have catastrophic consequences, and the criminal group that locked them has a track record of unlocking them if paid, then paying the ransom may be the best option. Regardless of what you choose, contact the UCSB IT Service Desk first if it’s a UCSB computer or data, and contact law enforcement for personal files. 

What to do if you are the victim of ransomware

Work-related device

If you receive a ransomware popup or message on your device alerting you of an infection, take the following steps immediately to avoid any additional infections or data loss:

  1. Disconnect from the internet
    • Unplug the network cable
    • Put your device in airplane mode
    • Turn off WiFi and Bluetooth
  2. Disconnect any external drives, USB drives, phones, or cameras
  3. Do not turn off your computer and report the incident to the UCSB Service Desk at (805) 893-5000

Personal device (never used for work)

What to do to minimize the risk of ransomware

To prevent a ransomware attack and mitigate the impact if one occurs, perform the following on an ongoing basis:

  1. Exercise caution when opening your messages. Most ransomware attacks begin with some sort of phishing message. Pay attention to emails you get and be on the lookout for phishing attempts. 
  2. Use anti-virus software and firewalls. It's important to obtain and use advanced anti-virus software and firewalls from reputable companies and continually maintain them through automatic updates. 
  3. Keep your devices and software up to date. Install updates ASAP for all of your operating systems and applications.
  4. Enable pop-up blockers. Pop-ups are regularly used by criminals to spread malicious software. To avoid accidental clicks on or within popups, it's best to prevent them from appearing in the first place.
  5. Always backup your computer content. Ransomware scams will have a limited impact on you if you back up, verify, and maintain offline copies of your personal and application data. If you are targeted, you can simply have your system wiped clean and then reload your files, instead of worrying about paying a ransom to get your data back.
  6. Don’t be an Admin all the time. If your computer lets you have separate user accounts, keep the administrative account separate from the ones used to do things on the computer. Accidents happen, and if they happen in an admin account they can do a lot more harm. And with work systems, use the least amount of privilege necessary to do what you do (don’t surf the web as root.)
  7. Talk to your department’s IT team about any additional department-specific plans and precautions.

For more information, visit security.ucsb.edu or #ransomUCinfosec, and don’t forget to follow @UCSBInfoSec on Facebook, Twitter, LinkedIn, and Instagram, where you can find the most up-to-date information about events we’re hosting this school year. Thanks again, and we hope you stay cyber safe!