Until a thorough and robust method to stop ransomware, this
phenomenon is going to continue to flourish. This popular method to attack is
simple, and profitable to the attackers. Once this was successfully monetized,
there was no turning back for the attackers. Another glaring example occurred this
July with the University of Utah.
Attack
The University of Utah has been added to the list of ransomware
victims (e.g. Michigan State University (MSU did not pay the ransom and the
data was placed on the dark web), Columbia College of Chicago, Canada’s Royal
Military College in Ontario, and the University of California at San Francisco
(paid $1.14M)). The university’s Information Security Office (ISO) was notified
on July 19th of the attack. The focus of the attack was the College
of Social and Behavioral Science (CSBS) servers. The central servers were not
affected. The attackers have not been identified as of yet, which is not unusual.
This group of attackers is likely the same which has been making the rounds,
attacking other universities. The data indicates this, and the others may have
been perpetrated by the NetWalker ransomware gang. As mentioned previously,
this method of attack tends to be profitable. It is estimated the group has
received more than $25M this year alone with these attacks.
Actions by the
University
After the breach, the attackers encrypted the servers, which
prompted the ransom demand. The university did act affirmatively and isolated
the servers from the remainder of the network and the internet. They began an
investigation and notified law enforcement. In addition, they are working with
a third party specializing in these attacks to resolve the issue. No other
systems were impacted by this. The affected students and staff were directed to
change their university passwords on July 29th.
Ransom
To regain their systems, the university and its insurance
provider did pay $457,059.24 in Bitcoin. Thankfully the university had in place
cybersecurity insurance to cover at least a portion of the ransom, as the
university paid the remainder. While I generally don’t recommend this course of
action, in this instance the attackers were able to secure sensitive data and
allegedly they would have released this online for everyone to see and likewise
secure if the ransom was not paid. This data included sensitive information for
the employees and students. While this included only 0.02% of the data on the
servers, this could still be a rather large amount of data that would have been
placed online, without the ransom being paid. The issue is the university is depending
on a group of attackers who breach systems and extort funds from the target. It
is notable the fee was to remove the threat of the data being published. The
university did restore the data from back-ups.
Lessons Learned
First and foremost, please train your staff to watch for
this type of email or other communication. The method of attack is relatively
simple. The attacker(s) send emails with malicious links or attachments. The
humans, which are the primary attack surface, click the link or attachment, and
the CISO begins to have issues quickly. Alternatively, based on the circumstances,
the group could simply breach the targeted system, which may take more time and
resources in comparison to the first option. The training and continued
training is the first line of defense. Naturally, there is also the SIEM and
other apps that also are required to attempt to severely limit the issue. With
implementing these in earnest, not merely checking the box, the potential to
correct the problem is on the right track. Until then, the attackers are going
to use this method as much as possible, and collect as much as possible, to the
detriment of the victims.
Resources
Cimpanu, C. (2020, August 21). University of Utah pays
$475,000 to ransomware gang. Retrieved from https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomware-gang/
Dudley, G. (2020, August 21). University of Utah paid
hackers $457k after ransomware attack. Retrieved from https://www.ksl.com/article/50008933/university-of-utah-paid-hackers-457k-after-ransomware-attack
Hamilton, E. (2020, August 21). The university of Utah just
footed a $475,000 ransomware bill. Retrieved from https://news.knowledia.com/US/en/articles/the-university-of-utah-just-footed-a-457-000-ransomware-bill-fae31fb0a1a1ae1ac148c4e67e5dfba60b78f42f
Kass, D.H. (2020, August 26). University of Utah pays nearly
$500k to ransomware gang to recover data. Retrieved from https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/university-of-utah-pays-nearly-500k-to-ransomware-gang-to-recover-data/
Raymond, A. (2020, August 21). Cyber swindlers take
university of Utah for nearly $500k in ransomware attack. Retrieved from https://www.deseret.com/utah/2020/8/21/21396174/cyber-swindlers-take-university-of-utah-for-nearly-500k-in-ransomware-attack
Pierce, S.D. (2020, August 21). University of Utah pays more
than $450,000 in ransomware attack on its computers. Retrieved from https://www.sltrib.com/news/2020/08/21/university-utah-pays-more/
No comments:
Post a Comment