If you manage U-M or unit systems, computers, or data, you are responsible for taking steps to protect them from ransomware.
Ransomware is malicious software that can infect and encrypt the files and folders on computers rendering the data inaccessible and the computers unusable unless a ransom is paid to the attackers. In some cases, attackers have threatened to make the data public. Payment of the ransom is no guarantee that you will regain access to the data or prevent its release.
Prevention and Preparation
- Install CrowdStrike Falcon endpoint protection on any unit computers you are responsible for.
- Implement Duo two-factor on any machine that allows authenticated connections from the internet.
- Back up data. If you have backups of data, you can restore it in the event of a ransomware attack. All U-M units and research programs are required to develop and document backup plans for U-M institutional data. See Back Up U-M Data.
- Create incremental backups of valuable, critical, and sensitive data that rely on an initial, complete backup of the system. Then make subsequent file copies that capture changes to the system. This can provide a viable mechanism for restoring data that has been encrypted by ransomware software.
- Backups should be stored in an administratively separate system and be verified on a regular basis to ensure their effectiveness.
- Enable file-level snapshots and versioning so you can quickly restore files on networked storage environments if need be.
- Keep hardware and software up-to-date. Apply all patches and updates as soon as possible after appropriate testing, and only use supported, up-to-date software. This ensures that you are taking advantage of security updates that address newly identified vulnerabilities.
- Report suspected IT security incidents, including ransomware attacks, to email@example.com.
- Provide education and awareness in your unit. Like other malware, ransomware often infects a system through infected email attachments and downloads from malicious websites linked from phishing emails. Share education and awareness materials provided by ITS Information Assurance:
Monitor for Problems
Routinely monitor unit systems for indicators of potential compromise, including a ransomware infection. See Checking Systems for Signs of Compromise.
Report Ransomware Immediately
A ransomware attack is a potentially serious IT security incident. Report it immediately—Report an IT Security Incident. You can rely on ITS Information Assurance for analysis and mitigation coordination.
U-M Ransomware Protections
The Information Assurance (IA) groups in Information and Technology Services (ITS) and Health Information Technology & Services (HITS) work with units across U-M to reduce risk and protect against cyberthreats, including malware such as ransomware.
- Network security. Monitors for and helps prevent unauthorized access or misuse of U-M computer networks and network-accessible resources.
- Endpoint protection. Includes antivirus, anti-malware, and other protections for U-M workstations (laptops and desktops) and servers. The Ann Arbor, Dearborn, and Flint campuses use Crowdstrike Falcon; Michigan Medicine uses Sentinel One.
- Vulnerability management. All U-M networks are regularly scanned for unpatched, vulnerable systems at risk of threat actor exploitation, including ransomware.
- Logging and monitoring. These activities can identify suspicious behavior, be used to proactively block attacks, and support the investigation of potential IT security incidents.
- Threat intelligence. Bolsters overall U-M IT security by feeding information about active threats into numerous other IT systems.
- U-M data backups. ITS and HITS maintain system back-ups and storage snapshots of the data and systems they are responsible for (these vary by system and service level). Backups are an important component of ransomware mitigation.
- Cyber risk insurance. The Office of Risk Management maintains insurance that allows the university to recover some financial costs incurred as a result of lost or stolen data or IT outage due to an incident.