Over the past few months, UT Arlington has fallen victim to Crypto-malware. In the two instances we’ve handled, documents in department K: drives were encrypted. We have recently received a notice from the Texas Department of Information Resources (DIR) Office of the CISO alerting us to several ransomware infections within the state.  The infections include variants “CryptoLocker” and “CryptoWall.”

According to DIR, the Trojan appears to have been spread mainly though emails and in one case the email was presented as a fax confirmation.  At UT Arlington, both infections involved employees browsing to websites that were infected. The computers involved had vulnerable Java and/or Adobe plug-ins; there is strong indication that this was the attack vector for the ransomware.

While it is possible to remove the virus itself, the ISO is unaware of any method to decrypt the files.  The private key, needed for decryption, is stored on a Command and Control server and is only available to the attacker. The only way to recover from a Crypto attack is to restore from backups.

We urge all departments to ensure their systems and applications are fully patched, their anti-virus is up-to-date, and ensure current backups of critical files exist in approved locations. Approved locations include OIT managed K: and J: drives, UTA CrashPlan and UTA Box.com