New virus on campus locks files and requests money

When two University of Richmond staff members' computers were infected with a virus two weeks ago, the FBI contacted the university's Information Services and alerted them of how to handle the virus.

The virus, CryptoLocker or Cryptobit, is a type of "ransom-ware" that encrypts or "locks" files on a computer, then demands payment for unlocking them within 72 hours. If the user does not pay the ransom within 72 hours, the files will remain encrypted forever, according to the Information Services website.

Anthony Head, security administrator, said anyone who encountered the virus was urged not to pay the ransom because there was no guarantee the files would be recovered.

"The FBI has been in contact with me and specifically said don't pay the ransom," Head said. "You are contributing to the bad behavior and you may not get your files back."

The FBI told Head the virus operators claimed they would un-encrypt the files if the user responded with a payment of $300-$400 within a short time frame, but usually did not unlock the files. If the user pays the original sum, the operators often try to increase the price to thousands of dollars. "They're basically just trying to milk you for what they can get," Head said.

Even though only two computers were infected, Information Services sent out the email alert to warn students of the severity of the virus, Scott Tilghman, help desk manager, said. The two faculty computers that were infected had to be completely wiped. That was the only way to remove the virus, and some files were unable to be recovered.

The virus is typically spread through email attachments, often from sources masquerading as UPS Inc., FedEx and DHL Express. When the user opens the email attachment, the virus is installed on the computer. It can also be spread by visiting websites infected with malware, according to the Information Services website.

The viruses originate in various locations around the world, often in eastern European countries, Head said. Tilghman did not say where the version of the virus that appeared on campus came from.

Tilghman did not expect to see more cases of the virus related to the first two because that particular location of the virus had been cut off. But that doesn't mean the virus can't be altered and make it onto the campus network again, Tilghman said.

The campus network's security was recently increased with the installation of ClearPass, a computer registration program that ensures a computer's antivirus and firewall are up to date before allowing it to access the university's network. However, the virus was able to infect university computers because antivirus only helps with known viruses, Head said.

"As the malware people develop code they are constantly changing it to make it appear different than what it originally was," Head said. "So that's why even though we are up to date with most of our antivirus signatures, things still constantly come through because they are constantly changing."

Tilghman said if people encountered the virus on their computers, they should take action right away. "If anybody gets the pop-up message they should unplug from the network and turn off their wireless immediately," Tilghman said. "Then turn the system off and bring it to us."

Contact staff writer Erin Flynn at erin.flynn@richmond.edu