May 17, 2016
The US-CERT (US Computer Emergency Readiness Team) has issued a recent alert concerning ransomware. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. The alert warns that in early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals, worldwide.
Information Security and Policy (ISP) has received confirmed reports on campus of recent attempts to deliver the "Locky" family of ransomware via malicious email attachments. The most recent attempts come from forged @berkeley.edu email addresses (such as from the recipient's own email address) with Subject lines like (note that they vary greatly):
- Document80
- Scan381
- Document5
- Doc242
- Scan0
- Emailing: Photo 05-18-2016, 03 86 27
- Emailing: DOC 05-18-2016, 09 25 37
- Emailing: Image 05-18-2016, 09 25 37
Accompanying these emails are .ZIP file attachments (e.g. Document80.zip) containing malicious JavaScript, Office documents with macros, or other payloads.
Campus users are advised to be vigilant as ransomware like Locky can be extremely destructive. Report suspected email messages containing ransomware to consult@berkeley.edu. Be sure to include the entire text of the message, including the email header.
If you think your computer may have been infected by a ransomware attack, you should seek IT support through your IT support staff or contact ISP at security@berkeley.edu.
More information about ransomware can be found in the recent ISP campus advisory: Locky Ransomware Delivered via Email Attachments.
Or visit the Ransomware FAQ to learn basic information about ransomware and how to protect against it.