Ransomware is a type of malicious software cyber attackers use to encrypt an organization’s systems or data and extort payment in order to restore access. Ransomware attacks can be disruptive and harmful to organizations, resulting in financial loss, the permanent loss of sensitive or proprietary information, and negative impacts to reputation. At LBNL, DOE will not authorize funds to pay a ransom. Avoid data loss by selecting a backup strategy that is ransomware resistant.
Backups are the standard solution to recover data after a system is infected with ransomware. However, in a recent incident at UCSF, the attackers deleted system backups before encrypting the data, removing the capability to recover, and forcing the school to pay $1.14 million in exchange for a tool to unlock and return the stolen information. Ransomware is not new but the attack reflects a growing trend. Approximately $350 million in ransom was paid to malicious cyber actors in 2020, a 300%+ increase from the previous year (DOJ 21-656). Federal partners launched a new resource hub at StopRansomware.gov to help combat the threat of rising ransomware incidents in 2021.
Examples
Cyber attackers use a variety of evolving tactics to access systems and pressure victims for payment. Be aware that while ransomware attacks are possible on any platform, the vast majority of attacks occur on Windows. If you work in a primarily Windows environment, you are at increased risk of a ransomware attack. Common methods of infection include:
- Visiting unsafe, suspicious, or fake websites.
- Opening unexpected file attachments from unknown sources in phishing emails.
- Clicking on malicious links in emails, social media, on-screen alerts, and SMS texts.
- Exploiting vulnerable web servers, such as those using default passwords.
Below is an example route for a ransomware attack to occur (NIST):
- A user is tricked into clicking on a malicious link that downloads a file from an external website.
- The user executes the file, not knowing that the file is ransomware.
- The ransomware takes advantage of vulnerabilities in the user’s computer and other computers to propagate throughout the organization.
- The ransomware simultaneously encrypts files on all the computers, then displays messages on their screens demanding payment in exchange for decrypting the files.
Recommendations
The IT Division provides data backup, backup administration, and data-restoration services for the Berkeley Lab community. Visit the IT FAQ on Backup Services Information to learn more.
Mitigate risks to ransomware by taking the following steps:
- Backup your data using a secure Ransomware Resistant Backup solution.
- Druva is the recommended IT backup solution for workstations.
- Google Drive is a great backup solution and the Lab license allows unlimited storage.
- Ensure systems and devices meet the Berkeley Lab Minimum Security Requirements.
- Be aware of social engineering methods used to attack victims, such as phishing.
If you suspect a ransomware attack or any known breach of private information:
- Do not pay money to recover your data. Unfortunately, there is no guarantee of access to your files or protection of information.
- Immediately power down the system to disrupt the attack and disconnect access.
- Report the incident to security@lbl.gov as soon as possible. The IT Security team will do their best to assist you with recovery.
For UC Berkeley, see Backing Up Your Data. If you need general computer assistance, contact the LBNL Help Desk at x4357, help@lbl.gov, or online at help.lbl.gov.
View more Cybersecurity Awareness posts.
in the bottom right or navigate to