As has been reported in the media, there currently is a global ransomware attack (called WannaCry or WannaCryptor) that has affected computers worldwide. UT Arlington is currently not affected and both IT and Security teams are actively working this weekend to minimize the impact of an attack.
What you should know:
- This malware affects all unpatched Microsoft Windows versions (from Windows 98 through Windows 10. Microsoft released patches for this in March through normal windows update.
- Macintosh and Linux operating systems are not affected at this time.
- The malware is initially delivered as an attachment or a link to a compressed .zip file. Unsuspecting victims who open the file on an unpatched computer are infected and the malware begins to encrypt files on the computer.
- In addition to encrypting files, the malware looks for other computers on the network to infect, spreading itself within a vulnerable organization.
What has UTA IT Security has done so far:
- An initial patch for the vulnerability was released in March and was installed on OIT managed Windows computers in the ARDC and on campus. Additional patches were released over the weekend.
- Our Intrusion Prevention System has been updated to prevent direct attacks from the internet.
- Our email system has been configured to quarantine compressed .zip files (that are manually inspected and released by OIT).
- OIT has implemented protections on the file server to protect against encrypted files being placed on it.
- OIT has verified that backups are running on the file servers (K: and J: drives) in the event of infection.
- OIT has made available CrashPlan to back up data on computers.
What you should do:
- Do not click on suspicious links or attachments received in your personal or UTA email. To learn about Ransomware: http://www.uta.edu/security/ransomware/
- If your UTA computer managed by OIT, and it has not been turned on in a while, turn it on and reboot it when prompted.
- If you are running an old version of Windows that is no longer supported (such as Windows 98 through Windows 8, Windows Server 20018, 2013, etc), Microsoft has released a patch that is available: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
- Make sure that your home computers operating system and antivirus is up-to-date.
- Do not open shared documents (e.g. Box, Dropbox, google drive, etc.) that you are not expecting.
If your UTA computer becomes infected, disconnect it from the network immediately. Please send email to firstname.lastname@example.org to report the infection.
Please beware that several individuals at UT Arlington have reported receiving email messages containing an attached “.zip” files that contains hidden malware (malicious software).
The malware appears to be a ransomware (cryptolocker variant) – it will encrypt files on the infected computer as well as network drives. The email subject line is not consistent and may have one of the following subject lines:
- Please find attached invoice no: <<random number>>
- If you receive a suspicious or unexpected email similar to the description above, do not open the attachment. Instead, we ask you to send the email as an attachment to email@example.com for analysis.
- If you are expecting legitimate email with attached zip file, you will need to manually release it from quarantine. The email system should notify you of emails being placed in quarantine, or you can login to https://quarantine.uta.edu/ to check quarantined mail. Please do not restore and open any suspicious or unexpected attachments you may find within the quarantine.
- If you received the message and opened the attachment, please contact OIT help desk for assistance.
To learn about Ransomware:
To learn about Phishing:
Example 1 of the message:
From: firstname.lastname@example.org [mailto:email@example.com]
Sent: Monday, August 29, 2016 5:58 AM
Subject: Please find attached invoice no: 6862055379
Attached is a Print Manager form.
Format = Portable Document Format File (PDF) ________________________________
This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
End of Example 1
Example 2 of the message:
From: <<random name and email address>>>
Sent: Monday, August 29, 2016 4:12 AM
Good morning <<name of recepient>>
Here is the excel file of the commission you earned last month. Please analyze the attachment to confirm the amount.
End of Example 2
Over the past few months, UT Arlington has fallen victim to Crypto-malware. In the two instances we’ve handled, documents in department K: drives were encrypted. We have recently received a notice from the Texas Department of Information Resources (DIR) Office of the CISO alerting us to several ransomware infections within the state. The infections include variants “CryptoLocker” and “CryptoWall.”
According to DIR, the Trojan appears to have been spread mainly though emails and in one case the email was presented as a fax confirmation. At UT Arlington, both infections involved employees browsing to websites that were infected. The computers involved had vulnerable Java and/or Adobe plug-ins; there is strong indication that this was the attack vector for the ransomware.
While it is possible to remove the virus itself, the ISO is unaware of any method to decrypt the files. The private key, needed for decryption, is stored on a Command and Control server and is only available to the attacker. The only way to recover from a Crypto attack is to restore from backups.
We urge all departments to ensure their systems and applications are fully patched, their anti-virus is up-to-date, and ensure current backups of critical files exist in approved locations. Approved locations include OIT managed K: and J: drives, UTA CrashPlan and UTA Box.com
Please be aware that a potentially new variant of the Cryptolocker ransomware has been identified. “Ransomware” is a new category of malware that can prevent access to a computer, or the data on it, unless the victim pays a ransom to the malware creator. The Cryptolocker malware encrypts files on the victims computer and then demands payment for the files to be unlocked.
Because this is a new variant of the malware, there are no current ways to protect you from it. The only protection is to not open attachments that you are not expecting or that look suspicious. The malware is primarily delivered via email and often contain a subject line enticing you to open an accompanying attachment. Below is an example of the message (Subject: Invoice Payment Confirmation; Attachment: Invoice_Details_01.04.2014.zip).
The malware can potentially be sent to your UTA email or your personal email (e.g. gmail, Hotmail, yahoo, etc) account.
If you fall victim to this virus, you will not be able to unlock your files and must rely on your backups. The malware can be aggressive has been known to encrypt files on local hard drives, external drives and potentially your file shares (e.g. your K: and J: drives).
UTA Employees: To backup your data on a UTA owned computer, you may use CrashPlan (search for “CrashPlan” in the search box on the UTA website).
For updates on this advisory, please check back periodically or send an email to firstname.lastname@example.org. If you need help on how to use CrashPlan or if you are a victim of this virus, contact the Help Desk at 2-2208.
Please see our previous blog entry about Cryptolocker for background and tips.