Warning! Global WannaCry Ransomeware Attack – What You Can Do To Prevent Infection

As has been reported in the media, there currently is a global ransomware attack (called WannaCry or WannaCryptor) that has affected computers worldwide. UT Arlington is currently not affected and both IT and Security teams are actively working this weekend to minimize the impact of an attack.

What you should know:

  • This malware affects all unpatched Microsoft Windows versions (from Windows 98 through Windows 10. Microsoft released patches for this in March through normal windows update.
  • Macintosh and Linux operating systems are not affected at this time.
  • The malware is initially delivered as an attachment or a link to a compressed .zip file. Unsuspecting victims who open the file on an unpatched computer are infected and the malware begins to encrypt files on the computer.
  • In addition to encrypting files, the malware looks for other computers on the network to infect, spreading itself within a vulnerable organization.

What has UTA IT Security has done so far:

  • An initial patch for the vulnerability was released in March and was installed on OIT managed Windows computers in the ARDC and on campus. Additional patches were released over the weekend.
  • Our Intrusion Prevention System has been updated to prevent direct attacks from the internet.
  • Our email system has been configured to quarantine compressed .zip files (that are manually inspected and released by OIT).
  • OIT has implemented protections on the file server to protect against encrypted files being placed on it.
  • OIT has verified that backups are running on the file servers (K: and J: drives) in the event of infection.
  • OIT has made available CrashPlan to back up data on computers.

What you should do:

  • Do not click on suspicious links or attachments received in your personal or UTA email. To learn about Ransomware: http://www.uta.edu/security/ransomware/
  • If your UTA computer managed by OIT, and it has not been turned on in a while, turn it on and reboot it when prompted.
  • If you are running an old version of Windows that is no longer supported (such as Windows 98 through Windows 8, Windows Server 20018, 2013, etc), Microsoft has released a patch that is available: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
  • Make sure that your home computers operating system and antivirus is up-to-date.
  • Do not open shared documents (e.g. Box, Dropbox, google drive, etc.) that you are not expecting.

If your UTA computer becomes infected, disconnect it from the network immediately. Please send email to helpdesk@uta.edu to report the infection.

Be aware of tax-related scams, phishing attacks or social engineering

Refund scams: With tax season approaching, it is now normal to expect criminal activity targeting tax refunds. Criminals can obtain personal information on you from a variety of sources, including your unwitting tax preparer. The Information Security Office encourages you to file your taxes as early as possible to reduce the chance of criminal elements filing for refunds before you do.

Phishing: It is also normal to expect an increase in phishing emails and attempts to lure you into inadvertently installing computer viruses. Use caution when clicking Web or email links or opening attachments related to tax returns. The IRS does not initiate any contact with taxpayers by email, text, or social media.

Many of the messages will have an urgent tone in the subject line and contents. Here are a few examples of subject lines based on those received in previous years:

  • Final reminder: Tax Refund Notification
  • Your 2017 – IRS Tax Refund Payment
  • Your IRS tax bank transfer is not approved.
  • Income Tax Refund REJECTED

If you receive an email that appears suspicious, send it to phish@uta.edu. Do not click on the links or open attachments.

Phone Scams: Always be cautious about providing your personal information over the phone, especially to individuals who initiate the call. In such cases, always offer to hang up, verify the nature of call, and to call them back at a number they provide. Do not rely on the caller ID information. Instead, seek out the organization’s official number and contact them directly. If you suspect attempted fraud or fall victim to a scam, contact your local law enforcement.

The IRS has recognized tax related fraud as a problem and has published several articles on their Security Awareness Tax Tips site at https://www.irs.gov/uac/IRS-Security-Awareness-Tax-Tips. Share the tips with your family, friends and even your tax preparer! If you fall victim to tax fraud, contact the IRS right away.

Advisory: Malware Delivered by Email

Please beware that several individuals at UT Arlington have reported receiving email messages containing an attached “.zip” files that contains hidden malware (malicious software).

The malware appears to be a ransomware (cryptolocker variant) – it will encrypt files on the infected computer as well as network drives. The email subject line is not consistent and may have one of the following subject lines:

  • Commission
  • Please find attached invoice no: <<random number>>

Your Actions:

  • If you receive a suspicious or unexpected email similar to the description above, do not open the attachment.  Instead, we ask you to send the email as an attachment to spam@uta.edu for analysis.
  • If you are expecting legitimate email with attached zip file, you will need to manually release it from quarantine. The email system should notify you of emails being placed in quarantine, or you can login to https://quarantine.uta.edu/ to check quarantined mail.  Please do not restore and open any suspicious or unexpected attachments you may find within the quarantine.
  • If you received the message and opened the attachment, please contact OIT help desk for assistance.

To learn about Ransomware:
http://www.uta.edu/security/ransomware/

To learn about Phishing:
http://www.uta.edu/security/phishing/

Example 1 of the message:

From: document@uta.edu [mailto:document@uta.edu]
Sent: Monday, August 29, 2016 5:58 AM
To: <<recepient>>
Subject: Please find attached invoice no: 6862055379

Attached is a Print Manager form.

Format = Portable Document Format File (PDF) ________________________________

Disclaimer

This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.

End of Example 1

Example 2 of the message:

From: <<random name and email address>>>
Sent: Monday, August 29, 2016 4:12 AM
To: <<recepient>>
Subject: Commission

Good morning <<name of recepient>>

Here is the excel file of the commission you earned last month. Please analyze the attachment to confirm the amount.

Regards,

<<Random Name>>

End of Example 2

 

Heartbleed Vulnerability

The following note has been adapted from a Texas Department of Information Resources notice to state agencies:

As you may have heard, there could be a serious weakness in the mechanism that protects your username, passwords, and other confidential information on various Internet sites. This advisory provides IT personnel with steps to ensure agency websites are safe. It also provides all agency staff with guidance for protecting credentials on work-related or personal websites that have the Heartbleed vulnerability.

IT personnel should take the following steps immediately:

  1. Patch all vulnerable OpenSSL systems – The information Security Office  has identified a number of servers and has contacted most server owners directly. Server owners include OIT and those in departments. Servers for whom OIT is unable to identify owners or that are not patched will be disconnected.
  2. Revoke and reissue certificates that use OpenSSL/TLS – Contact the information security office if you need assistance with this for a University owned server.
  3. Once items 1 and 2 are completed, force user password changes for all impacted accounts. UT Arlington Office of Information Technology will send a communication when NetID password changes should occur.

Additionally, all staff should take the following steps to protect their personal information:

  • Check to see if any non-UT Arlington websites you use (and on which you have accounts) are vulnerable:
    • Heartbleed Hit List – a listing of some popular websites and their vulnerability status [http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/]
    • Heartbleed Test – a tool for checking status of individual websites [http://filippo.io/Heartbleed/]
    • Qualys Heartbleed Test – a more in-depth analysis of encryption on websites [https://www.ssllabs.com/ssltest/]
    • CNET has posted a list of the Heartbleed status of the web’s top 100 sites [http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/]
    • The password manager, LastPass, also offers a simple Heartbleed checker that not only tells you if a site uses OpenSSL, but when the SSL certificate was regenerated, providing additional insight into what companies are doing to protect users [https://lastpass.com/heartbleed/]
  • Immediately change passwords for non-UT Arlington sites that are not vulnerable (whether repaired or never affected), giving first priority to critical accounts and email.
    • Create fresh, unique passwords for each account. Hackers will use credentials from one account to break into your other accounts.
    • Be alert for phishing scams attempting to lure you to credential-stealing sites. Do not click on links in emails that ask you to reset your passwords. To change your password, type the URL of the organization in a browser.
    • Note: Do not change your password before a site has addressed its Heartbleed vulnerability.

Now is a great time for everyone to do some password maintenance. Make sure your usernames and passwords are strong, choose unique passwords for different accounts, and change critical passwords frequently. And always be on the alert for malicious activity on the Internet.

Be aware of the Cryptolocker malware

Please be aware that a potentially new variant of the Cryptolocker ransomware has been identified. “Ransomware” is a new category of malware that can prevent access to a computer, or the data on it, unless the victim pays a ransom to the malware creator. The Cryptolocker malware encrypts files on the victims computer and then demands payment for the files to be unlocked.

Because this is a new variant of the malware, there are no current ways to protect you from it. The only protection is to not open attachments that you are not expecting or that look suspicious.  The malware is primarily delivered via email and often contain a subject line enticing you to open an accompanying attachment. Below is an example of the message (Subject: Invoice Payment Confirmation; Attachment: Invoice_Details_01.04.2014.zip).


The malware can potentially be sent to your UTA email or your personal email (e.g. gmail, Hotmail, yahoo, etc) account.

If you fall victim to this virus, you will not be able to unlock your files and must rely on your backups. The malware can be aggressive has been known to encrypt files on local hard drives, external drives and potentially your file shares (e.g. your K: and J: drives).

UTA Employees: To backup your data on a UTA owned computer, you may use CrashPlan  (search for “CrashPlan” in the search box on the UTA website).

For updates on this advisory, please check back periodically or send an email to security@uta.edu. If you need help on how to use CrashPlan or if you are a victim of this virus, contact the Help Desk at 2-2208.

Please see our previous blog entry about Cryptolocker for background and tips.