This content is viewable by Everyone


Ransomware Running Riot!

The link to the IT Security Awareness Quiz is at the end of the article. Complete it for an entry in a drawing for 1 of 6 $50 Amazon gift cards.

If it seems like ransomware is all over the news lately, that’s because it is. A recent survey of IT professionals by Sophos found that 64% of educational and 66% of healthcare institutions were hit by ransomware in 2021. This is up from 44% and 34% respectively.  Not only is the number of attacks rapidly increasing, but the amount of money extorted is also going up.  According to Sophos, the average ransomware fee reached $812K in 2021, an almost 5X increase from the 2020 average of $170K.

Ransomware targets range from home users to corporate networks, and how ransomware works is evolving.  It’s no longer just about locking up data. Cyber criminals also threaten to divulge sensitive and confidential information and recently have targeted software manufacturers to create supply chain infections.  The 2021 ransomware attack on Colonial Pipeline created a multi-day shutdown that caused panic buying and the price of gas to go to its highest level in seven years.  

What is Ransomware?

Ransomware is a type of malicious software (a.k.a malware) that locks the victim out of their computer or files – often by encrypting them – until a ransom is paid. The ransomware typically displays a message letting the victim know that they have been locked out, along with instructions for how and how much to pay. 

Ransomware is often spread through use of stolen credentials, malicious links, and harmful attachments in email; however, this is not the only mechanism. Other sources include malicious applications and files and adware/spyware. 

To pay or not to pay? 

It is important to note that these are criminals.  There are no guarantees that if you pay the ransom, you’ll get access to your computer or files back or that the criminals will delete their copies of your files. The FBI and law enforcement advise never paying the ransom because it encourages the criminals to continue committing crimes.  However, if the impact of losing the files could potentially have catastrophic consequences, and the criminal group that locked them has a track record of unlocking them if paid, paying the ransom may be the best option.   

What to do if you receive a ransom note 

Work-related device 

If you receive a ransomware pop-up or message on your device alerting you to an infection, 

take the following steps immediately to avoid any additional infections or data loss: 

  1. Disconnect from the internet (disable Wi-Fi and unplug any wired internet connection). 
  2. Disconnect any external drives. 
  3. Report the incident to the IT Service Desk (415-514-4100). 
  4. Follow the reporting instructions at How to Report a Security Incident

Personal device (never used for work)  

  1. Contact your local FBI field office to request assistance, or submit a tip online. 
  2. File a report with the FBI’s Internet Crime Complaint Center (IC3).  

What to do to minimize the risk of ransomware 

To prevent a ransomware attack and mitigate the impact if one occurs perform the following on an ongoing basis: 

  1. Exercise caution when opening your messages. Most ransomware attacks begin with some sort of phishing message. Pay attention to emails you get and be on the lookout for phishing attempts. Use the UCSF Phish Alarm tool to report phishing messages. Be on the lookout for warning banners in your email to denote risky or external senders. 
  2. Use anti-virus software and firewalls. It's important to obtain and use anti-virus software and firewalls from reputable companies and continually maintain your anti-virus software and firewalls through automatic updates. UCSF IT provides security software (anti-virus and firewall in one) free of charge to UCSF faculty, staff, students, and researchers at
  3. Keep your devices and software up to date. Install updates ASAP for all your operating systems and applications. 
  4. Enable pop-up blockers. Pop-ups are regularly used by criminals to spread malicious software. To avoid accidental clicks on or within pop-ups, it's best to prevent them from appearing in the first place. Get help: 
  1. Always back up your computer content. Ransomware scams will have limited impact on you if you back up, verify, and maintain offline copies of your personal and application data. If you are targeted, instead of worrying about paying a ransom to get your data back, you can simply have your system wiped clean and then reload your files. A backup service (CrashPlan Pro) is offered at no additional charge to: 
  • All ITFS-supported desktops and laptops, as part of ITFS Basic Support 
  • UCSF Medical Center–supported laptops: Computer Backup (CrashPlan) 
  1. Don’t be Admin all the time.  If your computer lets you have separate user accounts, keep the administrative account separate from the ones users actually use to do regular things on the computer.  Accidents happen, and if they happen in an admin account, they can do a lot more harm.  And with systems used for UCSF business, use the least amount of privilege necessary to do what you do. 

Take the quiz on protecting UCSF and yourself from ransomware.  The prize for passing the quiz is one entry in a drawing for one of six $50 Amazon gift cards. 

UCSF Information 

UCSF: How Do I Protect My Computer from Ransomware 

UCSF: Update on IT Security Incident at UCSF 

Additional Information 

Sophos: The State of Ransomware 2022 Report

Sophos: The State of Ransomware in Education 2022 

Sophos: The State of Ransomware in Healthcare 2022 

CISA: Stop Ransomware 

CISA: Ransomware Guide September 2020 

FBI: Scams and Safety Ransomware 

HHS: Fact Sheet: Ransomware and HIPAA 

Varonis: 86 Ransomware Statistics, Data, Trends, and Facts [updated 2022]

NBC News: Parents were at the end of their chain — then ransomware hit their kids' schools 

NBC News: Major hospital system hit with cyberattack, potentially largest in U.S. history 

ABC News: Why ransomware cyberattacks are on the rise