Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security

Phishing ALERT - CryptoLocker Ransomware Threat

University of Chicago email users have been targeted with email attacks that infect Windows computers with a "ransomware" virus called CryptoLocker. This article explains what CryptoLocker does and how to protect against it.

What does this virus do?

When this virus infects a system, it immediately encrypts the user's data and possibly the data on any external drives (such as USB/thumb drives) or network share drives to which the machine is currently connected. Once the data has been encrypted, the virus prompts the user to pay money by a specified deadline to decrypt the data. If there is no response before the deadline, the key to decrypt files specific to the encrypted machine is destroyed. Once the files are encrypted there are no other alternatives EXCEPT to recover the data from an offline backup.

Will your Antivirus program protect you?

At this time, both Symantec and other major antivirus vendors have updated signatures to this virus and prevent its infection. However, they do NOT not have a way to decrypt the files once they have been encrypted.  It is critical that you keep your antivirus active and updated daily.

What you can do to protect your computer and your data?

  • Do NOT open attachments from people you are not expecting to get attachments from. This includes emails from printers saying they have sent you a scanned document, or from shipping companies stating there is a customer support issue.
  • Continue to keep your antivirus signatures updated.
  • Importantly, the only sure way to beat this virus and others like it is to make regular backups of your data and store them offline.  If you backup your files to an external hard drive, do not leave it connected to your computer unless it is in the backup process.

What should I do if I get infected?

  • Immediately turn off your computer.
  • Do not attempt to move files or circumvent the problem.
  • Immediately contact the IT Services Service Desk (773-702-5800) or your local support group.

What is IT Services doing about it?

  • We have blocked email to campus mail servers that match known signatures for these attachments. However, be aware that attackers often make subtle changes to circumvent such controls.
  • We are monitoring for any evidence that this ransomware has impacted campus machines.
  • We are staying on top of developments and other means to thwart this attack.
  • We are working with IT groups across campus to implement awareness and technical control measures.

Keywords: malware encrypt encryption infection phish Ransomcrypt.F Gpcoder.H   Doc ID: 34505
Owner: Synita C.Group: University of Chicago
Created: 2013-10-15 12:52 CDTUpdated: 2013-10-15 18:10 CDT
Sites: University of Chicago