RIT Information Security Alert: Ransomware on Campus from Academic Program Inquiry

A computer in an RIT department was infected with ransomware from a file attachment purporting to be an example of work from a student. The student name on the email was spoofed. The email had been caught in the RIT spam filter. However, the spoofed sender name looked authentic and the recipient released the email and opened the zipped attachment, triggering the ransomware attack.

Sample Phishing Email

Sender:   name@gmail.com (name changed)

Recipients:   name@.rit.edu <RIT username>

Subject:  Re: RIT Application

[Executable Attachment] Namecodes.zip

Respected Sir,

I have submitted my application for <Specific RIT Program.>

I have attached an example of my work to this mail to help me strengthen my application. My unique application id is :f3ba5c. Thank you Sir for your

guidance and support.

Sender Name

_________________________________________________________________________________________________________________________

How do I know this is a phishing attempt?

  • You can’t tell at first glance that it’s a phish. However, the email was caught by the RIT spam filter because of the executable attachment. (An executable attachment is like a small malicious program.)
  • Unfortunately, the days of looking at an email and knowing immediately that it's a phishing attempt are over. The sender address and any logo may look authentic. Pay attention to what the email is asking you to do, or if it has an unexpected attachment. 
  • The sender address may have looked legitimate or may be from a compromised external email account.
  • For more information about detecting Phishing, please visit the RIT Information Security Phishing page.

What is RIT doing to protect me?

  • RIT blocks most phishing/malware attacks from reaching RIT e-mail accounts.
  • MySpam will block or quarantine many of these phishing e-mails. However, senders actively modify messages to avoid spam traps, and that allows a few to slip through.
  • myMail.rit.edu has not been compromised.
  • McAfee VirusScan (McAfee HIPS) with up-to-date virus definitions will protect against viruses and many other threats that may be associated with phishing emails. (Antivirus software is available free to RIT students, faculty, and staff for home use from http://www.rit.edu/its/services/security/).

What can I do to protect myself?

  • Ensure that your information is backed up regularly and properly. Because ransomware can encrypt the files on your computer and any connected drives (including connected cloud drives such as Dropbox), it’s important to regularly back up your files to a location to which you’re not continuously connected. To determine the backup capabilities available to you at RIT, contact your IT Service Desk.
  • If you find there’s a message in the RIT spam filter and you’re not sure that it’s really spam, preview the message while it’s still within the spam filter. Don’t release it until you are certain it’s legitimate. ITS provides instructions for the spam filter at <https://www.rit.edu/its/servicing/secure-computing/spam-filtering>
  • Unless you’re expecting an attachment, don’t open it without ensuring that the message is legitimate.
  • Phishing attacks can come through emails, texts, social media messages, and phone calls. Be careful!
  • Report phishing attempts by creating a new message to spam@rit.edu and dragging the suspected phishing message into the new message. 

For More Information

REMEMBER: RIT will NEVER ask for your password through e-mail.

Quick Infosec Tip: Most security pundits described 2016 as the year of Ransomware. Security experts expect to see many more ransomware attempts in 2017.