Taking steps to protect you against ransomware

Over the past 12 months, Information Management and Services (IMS) has witnessed an increase in phishing messages that contain malicious software designed to automatically encrypt your computer and hold its contents hostage in demand of a ransom payment. The FBI and security professionals predict “ransomware” will continue to be a primary attack approach over the next several years; with the health care and education industries being the most susceptible to such attack campaigns.

In a ransomware attack, an email message containing a file that appears legitimate—typically a PDF that appears to be an invoice, electronic fax or other request—will contain malicious software that once opened or clicked will encrypt all files on the PC, any attached drives, backup drives and potentially other computers on the network. Ransomware attacks are not only proliferating, they are also becoming more sophisticated. You may also see targeted phishing (also called “spear phishing”) that appear to come from a colleague or other legitimate contacts here at UT Health San Antonio, or links on public websites may be hijacked to transparently download the malicious software onto your PC.

Security analysts have discovered that running Windows under an account without administrative rights could mitigate up to 94 percent of critical Microsoft vulnerabilities. By hijacking a user account that is assigned administrator permissions, malware can easily use an infected computer as a launching point to infect other computers on the network.

In response to these risks, IMS will implement a solution that eliminates the risk of allowing local user PC administrator privileges on PCs. The software, called BeyondTrust PowerBroker for Windows, is free to university departments with technical and non-technical TSRs and allows scaling of local PC privileges to ensure applications are allowed to seamlessly run without the risk of leveraging elevated local user rights. The PowerBroker for Windows will allow transparent execution (including installation, upgrades and configuration changes) to known and approved applications without user or IT intervention.

On March 17, IMS will begin removing Windows domain users from local PC administrator groups regardless of whether PowerBroker for Windows is installed. This effort is done in compliance with University HOP 5.8.8 and UT System Policy 165. For more information about this IMS initiative, please visit the Information Security website at https://infosec.uthscsa.edu/least-privilege-enforcement.

Please contact the IMS Service Desk at 210-567-7777 if you have any questions or need immediate support.

Share This Article!