Cybersecurity and a Ransomware Attack
Successful ransomware attack at the University of Utah
Until a thorough and robust method to stop ransomware, this phenomenon is going to continue to flourish. This popular method to attack is simple, and profitable to the attackers. Once this was successfully monetized, there was no turning back for the attackers. Another glaring example occurred this July with the University of Utah.
Attack
The University of Utah has been added to the list of ransomware victims (e.g. Michigan State University (MSU did not pay the ransom and the data was placed on the dark web), Columbia College of Chicago, Canada’s Royal Military College in Ontario, and the University of California at San Francisco (paid $1.14M)). The university’s Information Security Office (ISO) was notified on July 19th of the attack. The focus of the attack was the College of Social and Behavioral Science (CSBS) servers. The central servers were not affected. The attackers have not been identified as of yet, which is not unusual. This group of attackers is likely the same which has been making the rounds, attacking other universities. The data indicates this, and the others may have been perpetrated by the NetWalker ransomware gang. As mentioned previously, this method of attack tends to be profitable. It is estimated the group has received more than $25M this year alone with these attacks.
Actions by the University
After the breach, the attackers encrypted the servers, which prompted the ransom demand. The university did act affirmatively and isolated the servers from the remainder of the network and the internet. They began an investigation and notified law enforcement. In addition, they are working with a third party specializing in these attacks to resolve the issue. No other systems were impacted by this. The affected students and staff were directed to change their university passwords on July 29th.
Ransom
To regain their systems, the university and its insurance provider did pay $457,059.24 in Bitcoin. Thankfully the university had in place cybersecurity insurance to cover at least a portion of the ransom, as the university paid the remainder. While I generally don’t recommend this course of action, in this instance the attackers were able to secure sensitive data and allegedly they would have released this online for everyone to see and likewise secure if the ransom was not paid. This data included sensitive information for the employees and students. While this included only 0.02% of the data on the servers, this could still be a rather large amount of data that would have been placed online, without the ransom being paid. The issue is the university is depending on a group of attackers who breach systems and extort funds from the target. It is notable the fee was to remove the threat of the data being published. The university did restore the data from back-ups.
Lessons Learned
First and foremost, please train your staff to watch for this type of email or other communication. The method of attack is relatively simple. The attacker(s) send emails with malicious links or attachments. The humans, which are the primary attack surface, click the link or attachment, and the CISO begins to have issues quickly. Alternatively, based on the circumstances, the group could simply breach the targeted system, which may take more time and resources in comparison to the first option. The training and continued training is the first line of defense. Naturally, there is also the SIEM and other apps that also are required to attempt to severely limit the issue. With implementing these in earnest, not merely checking the box, the potential to correct the problem is on the right track. Until then, the attackers are going to use this method as much as possible, and collect as much as possible, to the detriment of the victims.
Resources
Cimpanu, C. (2020, August 21). University of Utah pays $475,000 to ransomware gang. Retrieved from https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomware-gang/
Dudley, G. (2020, August 21). University of Utah paid hackers $457k after ransomware attack. Retrieved from https://www.ksl.com/article/50008933/university-of-utah-paid-hackers-457k-after-ransomware-attack
Hamilton, E. (2020, August 21). The university of Utah just footed a $475,000 ransomware bill. Retrieved from https://news.knowledia.com/US/en/articles/the-university-of-utah-just-footed-a-457-000-ransomware-bill-fae31fb0a1a1ae1ac148c4e67e5dfba60b78f42f
Kass, D.H. (2020, August 26). University of Utah pays nearly $500k to ransomware gang to recover data. Retrieved from https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/university-of-utah-pays-nearly-500k-to-ransomware-gang-to-recover-data/
Raymond, A. (2020, August 21). Cyber swindlers take university of Utah for nearly $500k in ransomware attack. Retrieved from https://www.deseret.com/utah/2020/8/21/21396174/cyber-swindlers-take-university-of-utah-for-nearly-500k-in-ransomware-attack
Pierce, S.D. (2020, August 21). University of Utah pays more than $450,000 in ransomware attack on its computers. Retrieved from https://www.sltrib.com/news/2020/08/21/university-utah-pays-more/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.