Ransomware FAQs

How does a computer become infected with Ransomware?

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website, and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network.

What can I do to protect against Ransomware?

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

CISA has several recommendations for users and administrators to protect their computer networks from ransomware infection. Some of the most noteworthy include:

• Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
• Create and maintain an Incident Response Plan
• Limit exposed services, such as the remote desktop protocol, to the internet.
• Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
• Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
• Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
• Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
• Ensure that all hypervisors and associated IT infrastructure, including network and storage components, are updated and hardened
• Leverage best practices and enable security settings in association with cloud environments
• Do not follow unsolicited Web links in emails. Refer to the Phishing resources found on this website for more information.

Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released, nor does it change reporting obligations.  Should you experience ransomware on a campus system, please notify the Information Security Office at security@berkeley.edu.

What is the possible impact of Ransomware?

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
• financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.