Signs your system may have been infected by Ransomware:
- Your web browser or desktop is locked with a message about how to pay to unlock your system and/or your file directories contain a "ransom note" file that is usually a .txt file
- All of your files have a new file extension appended to the filenames
- Examples of Ransomware file extensions: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters
Responding to a Ransomware Infection
What to do if you believe your system has been infected with ransomware
1. Disconnect From Networks
- Unplug Ethernet cables and disable wifi or any other network adapters.
- Put your device in Airplane Mode
- Turn off Wi-Fi and Bluetooth
This can aid in preventing the spread of the ransomware to shared network resources such as file shares.
2. Disconnect External Devices
Immediately disconnect:
- USB drives or memory sticks
- Attached phones or cameras
- External hard drives
- Or any other devices that could also become compromised
3. Report the Incident
It is important that incidents are reported as early as possible so that campus can limit the damage and cost of recovery.
- If you have access to the internet on another system see: Reporting an Incident.
- Or call us at: 510-664-9000, option 1, option 3