Information Security

Ransomware Response Procedure

Last modified 4/2/2020

In the event that ransomware has been identified on a university resource, or has been determined to have affected university data, the procedure outlined in this document should be followed.

Procedure

If ransomware has been identified, complete the following first:

  1. Isolate the infected computer immediately.
    1. Infected systems should be removed from the network as soon as possible to prevent ransomware from attaching network or shared drives.
  2. Isolate or power off affected devices that have not yet been completely corrupted.
    1. This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.
  3. Notify the Information Security Office through the Technology Support Center.
    1. Call 309-438-4357 to report the ransomware and initiate further actions. If they are unavailable or it is outside of their operating hours, send an email to abuse@ilstu.edu.
  4. Gather and document relevant information.
    1. Collect identifying information for affected systems (University asset tags, serial numbers, manufacturer and model, physical location, network jack ID)
    2. Identify all users of the affected systems.
    3. Note any details of when infection may have started.
    4. Identify network or shared drives users have permissions to.

Once the above steps are completed, appropriate IT staff should complete the following next:

  1. Create records in the IT ticket system used at the University.
    1. Each affected system that has been identified should have an incident created for it.
    2. Each user of the affected systems that has been identified should have an incident created for them.
    3. An infrastructure incident should be created to link all other incidents to.
  2. Require users to complete a password change.
  3. Investigate affected systems to identify impact.
    1. Identify all affected network and shared drives

Additional Information

Definition of Ransomware

Ransomware is a specific type of malware that will encrypt files on a network with an approach that cannot be undone without a specific decryption key. Once the encryption process completes, messages and/or images on the computer indicate the files are encrypted and that the key will only be released once a form of payment is completed. Attackers will commonly require a form of digital currency that is extremely difficult for law enforcement to track. Lastly, there is often a time period before the attackers indicate they will delete the decryption key making the files permanently encrypted.

Indicators of Ransomware

Ransomware generally does not reveal signs of infection until it has encrypted most or all of its target data. However, some early indicators of infection may include:

  • Malformed file names or empty documents know to have data
  • Filenames may that have an odd alpha-numeric value before the file type (e.g. "FY2019 Report.838AB29D3F19F.docx")
  • Filenames may that have an odd file type appended to a common one (e.g. "FY2019 Report.docx.encrypted")
  • Text or help files with the same names exist alongside the encrypted files (e.g. "FY2019 Report.docx" with a "FY2019 Report.txt")
    • The file will often indicate that the original has been encrypted and included the words RECOVER, HELP, or READ in the name
    • May be a single file with a filename such as HELP_TO_DECRYPT_YOUR_FILES.txt
  • The desktop background may be changed to a payment help screen
  • A ransomware instruction screen may be onscreen during or after booting
  • Some ransomware allows the computer to still be usable, and some ransomware does not