On Windows, at least, any files that come from web browser downloads or Outlook at treated as untrusted. Any such files are tagged with an Internet Zone Identifier Alternate Data Stream (a.k.a “Mark of the Web” or MotW ). Office applications will automatically disable any macros or other content in such files. One must actively bypass security warnings — which many folks do without hesitation, I know — in order to actually run the content.


I don’t know if attachments received using Thunderbird are tagged with the MotW. If not, perhaps moving to Outlook for email would be a helpful countermeasure. On Windows, anyway.


Additionally, it might be a good opportunity to emphasize the importance of reliable backups, or using central file services so that backups are taken care of without user intervention.




Geoffrey Duke

802.656.1172 | Sr Systems Administrator | Enterprise Technology Services | University of Vermont





From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of Sam Hooker
Sent: Wednesday, June 1, 2016 11:13 AM
To: [log in to unmask]
Subject: Re: heads up: ransomware message to be published tomorrow


Thanks, Andrew; I’ve worked that in, updated the blog post, and submitted the changes to Gary for inclusion in the email version.







On 20160531, 1702h, "Technology Discussion at UVM on behalf of Andrew Hendrickson" <[log in to unmask] on behalf of [log in to unmask]> wrote:


Can we also mention that unless you’re dealing with a file that is expected to have macros (usually spreadsheets from FAB or downloaded from Peoplesoft), people should always elect to “disable macros” when asked on file open.


In many cases, even if the file legitimately does have macros, disabling them doesn’t prevent entering data into the file.


I’d rather have people in the habit of disabling them and occasionally having functionality problems than to be in the habit of always enabling them and risk getting infected with Locky.


Andrew Hendrickson

CAS IT Administrator

UVM, College of Arts & Sciences





To submit a request for service please use:


From: Technology at <[log in to unmask]> on behalf of Sam Hooker <[log in to unmask]>
Reply-To: Technology at <[log in to unmask]>
Date: Tuesday, May 31, 2016 at 4:55 PM
To: Technology at <[log in to unmask]>
Subject: heads up: ransomware message to be published tomorrow


[please excuse cross-postings]


Gary Derr is slated email to the campus broadcast list tomorrow, mid-day with a message mirroring this post:



If you have questions or concerns, please email [log in to unmask] as soon as possible.








Sam Hooker | [log in to unmask]

Information Security Engineer

Enterprise Technology Services

The University of Vermont