Report & Respond Ransomware

If you suspect ransomware on a device used to store or manage U-M data, report it as an IT Security Incident immediately.

If you manage U-M or unit systems, computers, or data, you are responsible for taking steps to protect them from ransomware. See Ransomware Mitigation.

What Is Ransomware?

  • Ransomware is malicious software that encrypts the data on your computer or other networked devices, preventing you from accessing it. Victims are asked to pay a ransom to get their folders, files, and devices unlocked.
  • Criminals use ransomware to extort money from individuals and organizations in exchange for data to be decrypted, sometimes threatening to release the stolen data publicly, or destroy it entirely, if a ransom isn't paid.
  • Stolen data is often sold to other criminals and that data can be used to further compromise accounts and systems, or in identity theft. 
  • There is no guarantee that encrypted data will be recovered, or that stolen data won't be made public, even if the ransom is paid. The individuals that are deploying ransomware are criminals and should not be trusted to do what they have promised. 
  • Educational institutions and healthcare organizations are among the top targets of ransomware. Malicious actors target systems and data that are very important to an institution, affecting both operations and reputation, in order to maximize the potential profit. 

 How Ransomware Gets on Devices

  • Phishing emails and downloads: You open an email attachment, a shared document link, or click a link that takes you to a website that downloads malicious software, which may be ransomware or a trojan downloader. It looks for vulnerabilities on the computer or network and then infects your device and/or a networked device(s) with ransomware.
  • Vulnerable and unpatched systems exposed to the internet: Criminals look for services or systems exposed to the internet that may provide access to an organization’s network. This allows them to gain access, collect credentials, explore enterprise systems and networks, steal sensitive data, and install ransomware.
  • Systems already infected with ransomware: Some ransomware can propagate itself to other vulnerable systems on a network. This is why isolating an infected system, and taking steps to protect yourself from ransomware, is so important.
  • Compromised accounts: Compromised accounts can be used to log in to systems and encrypt the data they contain. See Compromised Accounts on Safe Computing to learn what to do if you think an account was compromised.  
  • Once a computer or other device is infected, the malware may begin encrypting files and folders on the device, any attached drives, and potentially other computers on the same network.

What You Can Do

Ransomware and Cloud Services

  • U-M Google Drive or Dropbox, or similar cloud storage is a great way to make sure your data is backed up. While these services are usually well protected, it is still possible for cloud storage to be hit with ransomware. One of the biggest dangers to data stored in the cloud is accessing it from a compromised machine. Automatically syncing data can also be risky; if your computer is compromised, it is likely any data in cloud storage it syncs with will be as well.
  • Cloud services can also be used to propagate ransomware by hosting infected files linked in malicious websites or email. For example, a phishing email might trick a user into downloading a ransomware executable from Dropbox, or link to a document pointing to a malicious website.