What do I do if I believe my system has been infected by Ransomware?

Signs your system may have been infected by Ransomware:

  • Your web browser or desktop is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file
  • All of your files have a new file extension appended to the filenames
    • Examples of Ransomware file extensions: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters

Responding to a Ransomware Infection

What to do if you believe your system has been infected with ransomware

1. Disconnect From Networks

  • Unplug Ethernet cables and disable wifi or any other network adapters. 
  • Put your device in Airplane Mode
  • Turn off Wi-Fi and Bluetooth

This can aid in preventing the spread of the ransomware to shared network resources such as file shares.

2. Disconnect External Devices

Immediately disconnect:

  • USB drives or memory sticks
  • Attached phones or cameras
  • External hard drives
  • Or any other devices that could also become compromised

3. Report the Incident

It is important that incidents are reported as early as possible so that campus can limit the damage and cost of recovery.