Encryption Virus Affecting University Computers

CryptoLocker is a type of virus which is designed to encrypt all files which are on the affected computer (e.g. on the hard disk C: ) and attached to it e.g. on the M: Drive (your personal storage area), N: drive (shared storage area) and OneDrive.

CrypoLocker 1

Your computer can be infected if you click on a link in a phishing email or by visiting an innocent website which has been compromised. Some people at can receive phishing emails which have their home address in, to make them seem more genuine, and ask you to click on a link for information about an invoice. Never click on links in emails unless you are sure they are genuine. If you are unsure, please ask the IT Service Desk for advice. 

CrypoLocker 2

This type of attack is known as ransomware, with the individuals behind the attack demanding money to decrypt files which have been encrypted.  You will not be able to access the files once they have been encrypted, and so may lose data. On police advice, the University will not pay a ransom to have files decrypted as this would be likely to encourage further targeted attacks against us.

If your PC has been infected, you will  see a pop-up message giving contact details for the payment and decryption process (similar to the images above)

What do I need to do?

If you receive any message on your computer which suggests that it may be infected you MUST:

  1. Disconnect your device from the University network(s) immediately. If your computer is connected to the wired network, pull the network cable out of your PC or the wall socket. If you are connected to eduroam, turn off your wireless connection.
  2. Switch off your computer at the wall socket or by pulling out the plug. Do not power it down by logging off or through a system shut down.
  3. Contact the IT Service Desk on 0113 343 3333 and report the incident.
  4. Follow any further instructions given to you by IT Service Desk staff.

Please also remember to shut down your computer at the end of each day in order to minimise the damage if your computer is infected and that infection has not yet been detected.