Section Information Technology Header

Information Technology

Ransomware Notice

Notification was sent November 20, 2014 to entire campus regarding malware making rounds

To: Students, Faculty and StaffFrom: Information Technology Subject: Ransomware Malware Alert

Attention All Faculty Staff and Students

CUNY Central has alerted all campuses to the following malware threat that is infecting many personal and professional computing devices around the world. This may sound like science fiction but unfortunately is real and we are taking precautions here at York.

Over the past month, the University has suffered several incidents of ransomware malware infection with varying degrees of impact. Ransomware encrypts accessible document files rendering them unusable and demands a ransom to decrypt them. The more prevalent varieties are known as cryptowall and cryptolocker. You can get infected via email links, popup ads and phishing web sites with many new methods reported on a regular basis. Ransomware can potentially encrypt every document file it can access, including those on writeable network volumes and shared folders, because of this there is the potential for considerable impact from even a single infection. The only way to recover from an attack without having to pay a ransom is to have a pre-infection backup of your data.

Due to the Windows7 update a few months ago all the computers on campus have their "My Documents" folder directed to the network. The folders in the My Documents are backed up every night. Should anyone with this configuration profile get infected there is a high probability of recovering data from backup.

However, there are some users who already had Windows 7 before we started the upgrades who have yet to have their My Documents folders moved to the network. We are currently in the process of moving these remaining outliners. This also is true of anyone who uses a Mac computer. Our technical support staff expects to be completed with this last phase of the Windows 7 project before Thanksgiving. Communications have already started to inform and schedule the moving of the data. We are doing everything we can to limit any inconvenience but the seriousness of this threat cannot be understated and for that reason we have escalated what was already planned for the remaining systems.

There are some precautions that should be taken by those pending the move. Save your critical files to your network share which everyone has available on PC's. This is normally the "S" drive. This will at minimum insure backup of your critical data files should there be an infection. Those of you who have Mac computers expect a personal visit starting tomorrow with a special handout that shows you what you can do to save critical files to the network from your systems while we work our a script that will eventually sync your documents folder up to the network.

Those of you who used laptops and other wireless devices should make regular backups of your critical data to thumb drives and other external storage mediums.

Students who used shared systems on campus should not be storing data on any local drives and should take advantage of network shares at York as well as the available cloud storage provided by Outlook 365 which is part of the York Live email hosted services from Microsoft.

Everyone should take precautions by following best practices as outline at the Central Security web site which can be found at the following link: https://security.cuny.edu

We will have more information and communications in the coming weeks as we learn more and harden our security procedures.

Greg Vega

Director Service Delivery Unit

Information Technology York College

Additional information on ransomware:

Ransomware is a behavioral category of malware that seeks to infect vulnerable systems and encrypt all document files on local storage volumes (e.g., hard drives) and accessible network folders. Files that have been so encrypted are unusable and can't be decrypted without a unique decryption key held by the perpetrators. After encryption completes, the malware displays a ransom note with instructions, typically demanding payment in the virtual currency called Bitcoin. Paying the ransom doesn't guarantee successful recovery, though decryption has become more reliable in recent variants.

Ransomware infections typically occur in the same way that other forms of malware infections do, often through malicious attachments or links in spam/phishing emails and by browsing to a website that's been compromised to infect visitors. New variants of malware are frequently produced to escape detection and prevention by anti-virus and intrusion detections systems. As well, communication with the attacker's server (used to hold the decryption keys) is laundered through network "anonymizers" and other mechanisms to deter tracing.

Recent ransomware variants such as CryptoWall 2.0 are effective and can't be circumvented, limiting recovery options.

More detailed information can be found here:

https://kc.mcafee.com/corporate/index?page=contentandid;=PD25480

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Thank you.

Greg Vega

York College