What do I do if I believe my system has been infected by Ransomware?

Here are some tell-tale signs your system may have been infected by Ransomware:

  • Your web browser or desktop is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file
  • All of your files have a new file extension appended to the filenames
    • Examples of Ransomware file extensions: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters

If you believe your system has been infected with Ransomware:

  1. Unplug your system (e.g. Ethernet cables) from the campus network and disable any other network adapters such as wireless network interfaces. Ensure your system is fully disconnected from campus networks and the Internet. This can aid in preventing the spread of the Ransomware to shared network resources such as file shares. Contact CSS-IT if you need assistance in disconnecting your system.
  2. Report the possible infection to Information Security and Policy.

If you do not have safe backups of your system, there may be options for unlocking your data:

Some variants of Ransomware have flaws in the way they implement the encryption used to lock your files. A collaboration between Intel Security, Kaspersky Lab, and Europol called No More Ransom! has a collection of decryption tools for Ransomware that has been cracked by researchers: