Skip to Navigation
University of Pittsburgh
Print This Page Print this pages

December 5, 2013

Technology Corner:

Ransomware – Phishing just got personal

CSSD

Maybe you’ve caught recent news reports or social media posts about a new piece of malware called CryptoLocker.

Or maybe you’ve noticed an increase in unexpected messages with attachments appearing in your own email inbox — messages that appear to come from Human Resources, or to include a scanned document from a photocopier, or to be alerting you to a problem with a package from UPS or DHL.

The University and most other large organizations are seeing an increase in email of this nature; the attachments contain the CryptoLocker malware.

If someone opens the attachment, malware is installed on the computer. The malware then begins to encrypt all of the data on the hard drive.

Once the encryption is completed, a ransom note is displayed on the computer screen with a warning that says something along the lines of  “Pay up, or you’ll never see your files again.”

Encryption

“But,” you may be thinking, “encryption is good, right?”  The University encourages people to encrypt their data so that if their laptop falls into the wrong hands, the data cannot be accessed and misused.

Encryption is definitely good when you have the ability to decrypt the data.

With this particular malware, however, you don’t hold the key to do the decryption — the extortionist does.

Spam, virus and malware filtering

CSSD uses a filtering system that monitors incoming email for spam, malware and known viruses. The system detects malware by looking for a particular signature or pattern within files.

Malware generators know this, and modify the malware slightly so that it becomes different from its known signature and harder for the filtering system to detect. When a new piece of malware — or a variant on an existing one — appears, it takes some time for the signature pattern to be identified and distributed to the filter.

In the meantime, messages containing the new or modified malware slip through the filter and into people’s inboxes. While most people know to look at all email attachments with a healthy dose of suspicion, some people still click to open.

Even if fewer than 1 percent of recipients open a malware attachment, the number of infected machines quickly adds up.

Protection tools

When CSSD becomes aware of messages of this type getting through the University’s email filters, examples of the messages are examined to determine what can be done to block them and their malicious effects.

CSSD then takes steps to mitigate risk to the University community. For instance, we send the messages to the filtering system’s engineers for analysis, who in turn use this to refine the filters. New malware signatures are sent to Symantec so they can be added to the known list of malware signatures. When possible, malicious web addresses are blocked and reported.

While we do what we can with technology to protect you, the strongest line of defense is YOU.

Vigilance and common sense

What can you do to protect yourself?  Exercise vigilance and a healthy level of suspicion.

When looking at messages, consider:

• Who is it from?  Do you often get email from that address? Some addresses can be spoofed, claiming to come from your officemate or an official role like administrator@pitt.edu.

• Does the subject header match the content of the message? Does it seem like something you would get from the sender?

• Does the offer in the email look too good to be true? Then it is.

• Does the message ask for personal information like account numbers, birth date, Social Security number or password? If so, warning flags should be flying. The IRS, your bank and the University never will ask for this type of information in an email.

• If there are URLs in the message, do they point to the place they claim to point to? If you hover over the link, you can see the actual URL it will send you to.  If the link says http://my.pitt.edu but is sending you to http://sdfsdfjkjk.com/webform.php, it is not legitimate.

• Are there attachments? At one time you only needed to worry about files that could be executed, but no longer. Now, malicious programs can be embedded in document and picture files. If you’re not expecting an attachment, it’s best not to open it.

Bottom line

• Back up your files on a regular basis.

Then if you get hit by ransomware, you won’t need to decrypt your files because you can simply restore them from your backup.

• When you get suspicious emails, delete them.

• If you are unsure about a message, please contact the technology help desk at 412/624-HELP (4357).

• Keep the operating system (OS) on your computer up to date.

OS updates include the most current security features. Windows, Mac OS and most popular Linux distributions provide a method to do this automatically.

• Download and install Symantec Endpoint Protection.

CSSD makes Symantec available at no cost to all faculty, staff and students through the software download service at my.pitt.edu.

When installed and kept current with the latest malware signatures, this software will provide a layer of protection if you inadvertently click on the wrong thing, whether that’s a link to a malicious website or an infected attachment.

Don’t panic

In the event that all of this fails and you find that your machine is infected, don’t despair — and don’t pay a ransom.  Help is available.

If your department has an IT administrator or CSSD contractor, that person may be able to help you recover your files.

In addition, CSSD can help you through the analysts at the technology help desk, who are on call every hour of every day of the year. You can also drop by the CSSD desk in the University Store on Fifth.

Chris Keslar is a research and development analyst for CSSD.


Leave a Reply