Information Services

Ransomware

Protecting Against Ransomware Attacks

Ransomware 

Ransomware – a type of malware which ‘locks’ the files on a computer and then demands payment to unlock them – is a growing threat all across the world. 

Ransomware attacks are launched via email and are a major threat to our data, with several recent examples compromising Queen’s systems.  They have the potential to cause reputational damage and loss of important data. 

At Queen’s, we provide security through our network firewall and through the use of anti-virus software.  However, these measures cannot catch every threat and we rely heavily on you being alert to threats and taking due care to avoid them.  

We urge you to read the information below and follow the guidance given.

How do I recognise a Ransomware attack?

Ransomware is typically delivered via an email which asks you to open an attached file which contains the Ransomware virus.  The email may look genuine in many respects and may seem to come from a bona fide source (e.g. Fedex).  Remember that email addresses can be ‘spoofed’ to disguise their true source. 

Ransomware emails seen at Queen’s have had the following subject lines:

      • Invoice
      • Unable to deliver your parcel
      • Purchase order
      • You have a new voicemail

You should take extra care with emails with these subject lines but also be aware that the attacker could use any subject which might hope to attract your attention.

Ransomware emails have attachments which they will encourage you to open.   The types of attachments seen to date have been .zip, .rar, .wav, .tar, .tsg but you should be vigilant about all zipped attachments. You should only open a zipped attachment if you are expecting one from a known source and you are satisfied that the email is genuine.

Click on the images below to view examples of ransomware emails which were received by Queen’s staff:

Key questions to ask yourself are:

      • Am I expecting an email from this organisation?
      • Have I actually purchased or used the service being referred to?
      • Am I confident that the attachment is safe?

If the answer is “no” then you should delete the email or at least verify its authenticity. 

Opening Ransomware attachments

If you decide to open an attachment and you are prompted to download or unzip it, or are advised that it has been saved in the Download directory, you still have the option to halt the process.  If you become concerned that the attachment might carry a virus, you should proceed no further until you are completely sure of the source and the message. Where you have doubt, you should send the email to abuse@qub.ac.uk.

If you opened the attachment in the first example above, you would see the following on your screen:

Ransomware

If you proceeded to open the downloaded file you would be presented with the following dialog box:

Ransomware

As this attachment did in fact contain a Ransomware virus, clicking “Open” would result in all the files on your computer being encrypted and a screen similar to below presented to you.  It is therefore vital that you take these opportunities to think again: “Is this message genuine?”

What do I do if my PC (or other device) is infected by Ransomware?

If it gets onto your PC, the Ransomware will encrypt (lock) the files on your PC.  At this point the files on your computer are no longer accessible to you and you must take the following action:

      1. Do not follow any of the advice on your computer screen (see example below)
      2. DO NOT PAY THE RANSOM
      3. Do not plug in any USB storage device in an attempt to recover backed up data
      4. Disconnect your computer from the power supply immediately
      5. You must report the incident to Data Security infosec@qub.ac.uk and the IT Service desk (028) 9097 3760

Ransomware

Protecting yourself from a ransomware attack.

To protect yourself, follow this advice:

      • Look out for the warning signs described above
      • Be very suspicious of unsolicited emails, especially those that ask you to open an attachment
      • If in doubt, verify the authenticity of the message before proceeding
      • If you open an attachment and have second thoughts, stop immediately

It is vital that you have the means to recover data that might be lost through Ransomware or other cause.  Queen’s strongly recommends that you back up your data to the Q: drive:

      • If you do not know how to find the Q: drive contact your School IT Officer or the IT Service Desk
      • If there is not enough space on your Q: drive contact your School IT Officer or the IT Service Desk.

 Last updated June 2016