NOTICE: Ransomware targeting healthcare and public health

Ransomware is malicious software that can infect and encrypt the files and folders on computers and other devices—essentially locking them. It typically gets into computers and networks as a result of someone following a malicious link, opening a malicious attachment, or opening a malicious shared document, such as a Google Doc or a Microsoft Office document. The links, attachments, and document links are usually contained in a phishing email. Institutions are asked to pay a ransom (usually in cryptocurrency such as bitcoins) to get their systems, folders, files, and devices unlocked.

Here are some examples of the recent phishing attempts that staff members of hospitals and healthcare have been seeing:

• A message from an account says you have been given a bonus for good work and asks that you click a link or open a document to confirm your personal data. Don't click the link!
• A message from a payroll processing assistant asks you to open a document with information about your salary. Don't open the document!
• A message from a corporate notification system asks you to preview a document in preparation for a phone call. Don't open the document!
• A message asks you to respond to an employee survey, but you have had no other communication about it. Don't open the survey doc!
• A message from an HR manager tells you that your position has been terminated and asks you to open a doc to check details and sign it. Don't open the document!
• A message from a customer service department representative says a complaint has been received from you and asks that you open a document to verify details. Don't open the document!

These examples all have one thing in common—they want you to download a document that contains a malicious program and run it. Microsoft Office documents can contain these programs (macros). If prompted, do NOT enable macro content on a document of unknown/unverified origin!

Think about how such situations are normally handled at U-M. Check with official U-M and Michigan Medicine sources if you are concerned about a particular email or have questions.

• Phishing & Suspicious Email offers this guidance and more:
  • Check links before clicking by hovering over them with your mouse. Check the full URL to see if it goes where you expect.
  • Check to see if the email sender is faked or forged. See How to Spot a Spoof.
  • Is the content suspicious? Check Scams & Fraud for common scams and scams reported at U-M. See Phishes & Scams for examples of recent phishing attempts.
• Ransomware: Don't Pay the Ransom! offers these and other tips on protecting yourself against ransomware:
  • Do not open or download a document from an unfamiliar sender, or one that is shared or stored on a system or service you are unfamiliar with.
  • Do not enable macros or content in Microsoft Office documents that are shared with you or open executable files.
• Report phishing email by forwarding the entire message to ReportPhish@umich.edu.
  • U-M Google Mail users. Open the message, click the down arrow next to the Reply arrow, and select Show original. Forward the original.
  • Michigan Medicine Outlook users. In the Outlook menu bar, click the Report Phishing button.

• Several hospitals targeted in new wave of ransomware attacks (10/29/20, CNN)
• FBI warns ransomware assault threatens US health care system (10/29/20, AP News)
• Alert (AA20-302A) Ransomware Activity Targeting the Healthcare and Public Health Sector (Cybersecurity & Infrastructure Security Agency, 10/28/20)
• Office Doc Dangers: Macros & Enabled Content Pose Risks (Safe Computing)