Skip to main content
Find a DoctorGet Care Now
Skip to main content
Search icon magnifying glass






How to spot ransomware

With the recent cyberattacks at hospitals nationwide, including some in Connecticut, Yale New Haven’s chief information security officer shared information employees can use to protect the health system’s and their own personal computers.

Ransomware works by encrypting your data so you cannot access it until you pay the threat actors to give you the keys to unlock it, said Glynn Stanton, who is also vice president, Digital Technology Solutions (formerly Information Technology Services). The ransomware variant currently impacting some Connecticut hospitals, developed by an operation called Rhysida, has not affected YNHHS, but everyone needs to be vigilant to protect against this or other attacks. 

How do you spot a ransomware attack? 

  • Your file names will be replaced with a new file name extension. For example, ImportantDocument.doc might be renamed ImportantDocument.doc.rhysida.
  • Common extensions ransomware threat actors use include: .rhysida, .lockbit, .rhyuk, .locky, .whereisyourfiles, .encr or .filelocked, among others.
  • If all your files have a file extension they didn’t have before, you likely have been infected by ransomware.
  • Your screen background will often be changed to show a message about how to pay the ransom, or you may find a file detailing how to pay to regain access to the files. Rhysida also places a file in the directory named CriticalBreachDetected.pdf, with details on how to pay the ransom.

What do you do if you suspect a ransomware attack?

If you cannot access your files, they all have an unusual extension or you see a screen backdrop requesting payments:

  • Turn off the computer immediately by pressing and holding the power button. The faster you act, the more data you may be able to save.
  • Call 203-688-4357 (203-688-HELP) immediately for any YNHHS-managed PC or system.
  • For a home PC, contact a local PC support technician.