Main Content

Malware

The picture shows a stylized Trojan horse with a bow on a red background. The text says: It’s too good to be true.
Image: Staff Unit Information Security

What is malware?

Unfortunately, cybercriminals have not been content to spy on our data using phishing or social engineering for some time now. They use programs that spy on data on our systems, restrict access to data and systems, or even prevent it altogether. The shooting star among malware is so-called ransomware. The business model of attackers who use ransomware is simple: data in exchange for money. Once the ransomware has found its way onto your computer, all your data is encrypted. However, in exchange for a service fee to be paid to the attackers, usually in Bitcoin, you can get access to your data back. A bad deal? Absolutely!

Where did this come from?

The shutdown of parts of the Emotet network was a partial success against ransomware, but there are still dozens of programs on the loose that cause more than a headache on a computer or network.

There are three typical ways you can get infected with malware:

  • E-mails with malware attached,
  • Manipulated websites distributing malware (links to these sites will be sent to you by e-mail),
  • Security holes in operating systems and programs which malware specifically exploits.

The malware strikes immediately or after some time and then starts encrypting the data, for example. However, if the malware "only" scans your data or mines a cryptocurrency, you may not even notice the infection. So, an infection is not always immediately noticeable and if data is encrypted, only a proper backup will help.

What is the situation at Philipps-Universität Marburg?

In the past, attackers have focused on planting malware through an attachment or link in an e-mail. Therefore, we have picked out two authentic examples for this scenario as well:

Example 1 (English)

Here is an update of the project. https://send.firefox.com/download/21a7ebc7e761df86/#dz3NjRc_mQgVITUUZGychQ Archive password: 7777
Text of the malicious mail

E-mails with this content have been and are often sent. The attackers often use supposedly trustworthy clouds such as Google Drive or Dropbox to upload their malware. This makes the link appear more trustworthy.

Example 2 (German)

Das Bild zeigt ein Beispiel einer Qakbot Phishing-Mail. Der Text der E-Mail lautet: Hallo, ich wollte diesbezüglich noch einmal mit Ihnen sprechen. Bitte sehen Sie sich die Datei an und melden Sie sich bei mir, was Sie denken. Darunter befindet sich ein Link, über den einen Schadsoftware heruntergeladen wird.
Beispiel einer Qakbot Phishing-Mail

In this case, the attackers did not bother to look for a more trustworthy place for their malware. It is common for malware to hide in office or archive files (*.zip, *.rar).

How to protect yourself:

  • Keep calm and do not overreact, even if it is supposed to be quick. Take the time to think about the e-mail.
  • Do you know the sender? Does it make sense for her/him to write to you? Call the person if you are not sure.
  • Check the links in the e-mail before you click on them. You can mouse over them or right-click and copy and paste them into a search engine first.
  • Attackers usually fake their sender's address, so: take a close look at who the e-mail really comes from.
  • Always keep your operating system and all installed programs up to date. Install updates as soon as possible.
  • Uninstall programs and apps you don't need. The fewer programs you have on your computer, the smaller the attack surface due to security holes.
  • Anti-virus programs reach their limits with some malware because attackers are constantly developing it and manufacturers are not keeping up with updates for their anti-virus programs. However, antivirus programs will protect you from older versions of malware and other viruses.
  • Make regular backups. If you can restore your computer with a full backup in the event of a malware infection, you've won. Besides, any system can fail suddenly due to wear and tear or production errors. So, a backup is helpful not only in case of ransomware.

Measures in case of infection

Remove infected device from the network

Malware usually targets not only one device, but also all other connected systems such as USB sticks or even network drives.

Therefore, immediately disconnect your device from the network (unplug the cable or turn off your WLAN) if it is infected and remove USB sticks and other storage media.

Do not pay a ransom demand!

If a ransom demand appears on your screen, do not respond to it.

There are three reasons for this:

  1. If you pay, you confirm the attackers and finance their criminal activities.
  2. There is no guarantee that the attackers will provide you with a way to decrypt the data. Often, the attackers never get back to you after payment.
  3. Ransomware decryption tools are often made available on the Internet, which you can use to reliably decrypt your data.

Otherwise the following applies:

Keep calm & report an IT emergency.
Please contact your IT administration and/or:

IT emergency phone number: 06421 28-28281
E-mail: it-sicherheit@uni-marburg.de