Industry News

University of Calgary pays $15,000 to criminal ransomware attackers

 

What happens if you pay give in to criminal demands? Simple – the criminals keep committing crimes.

But what happens if you get struck by a ransomware attack, and don’t have proper backups to restore your precious data? Potentially you’re stuck in a quandary.

No-one likes to send a message to malicious hackers that crime pays, but that sadly is what the University of Calgary appears to have done.

Yesterday, in a press release, Vice President Linda Dalgetty revealed that approximately $20,000 CDN (US $15,600) had been paid to extortionists who had hit the Canadian university’s systems with a vicious ransomware attack.

Problems started for the University of Calgary a week-and-a-half ago, when a malware attack disrupted the campus’s email, Skype, wireless networks and Active Directory systems.

As the local media reported at the time, classes continued as normal but staff were warned not to use any university-issued computers and to stay off University of Calgary networks.

Clearly, despite their best efforts in the wake of the attack, the university’s IT team was unable to achieve a proper recovery. And so, the university paid the ransomware attackers’ Bitcoin ransom:

“As part of efforts to maintain all options to address these systems issues, the university has paid a ransom totalling about $20,000 CDN that was demanded as part of this “ransomware” attack. A ransomware attack involves an unknown cyberattacker locking or encrypting computers or computer networks until a ransom is paid, and when it is, keys, or methods of decryption, are provided. Ransomware attacks and the payment of ransoms are becoming increasingly common around the world.”

And the university is right. A lot of people are choosing to pay extortionists after their computer systems are compromised, and their data locked up with uncrackable encryption algorithms.

The rise of ransomware has been one of the biggest computer stories of the last couple of years, and has proven an effective way for online criminals to make a vast amount of money.

And much as it leaves an unpleasant taste in the mouth to give in to cybercriminals, I am sympathetic with businesses who find themselves having to make the pragmatic decision to pay up in order to stay in business.

Of course, that’s not the complete end to the story.

As Dalgetty describes, even with the decryption keys handed over by the cybercriminals, full recovery of encrypted data might take some time:

“A ransomware attack involves an unknown cyberattacker locking or encrypting computers or computer networks until a ransom is paid, and when it is, keys, or methods of decryption, are provided. Ransomware attacks and the payment of ransoms are becoming increasingly common around the world. The university is now in the process of assessing and evaluating the decryption keys. The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time.”

As I’ve said many times before – it’s always better to be in a position of preventing a security incident rather than mopping up afterwards. With ransomware that is particularly important, as often the only way to recover your data (if precautions such as secured backups have not been made in advance) is to take the unpleasant step of paying the very people who are attacking you.

You don’t want to find yourself in the same position as the University of Calgary. Be sure to check out my tips on how to prevent your business suffering a ransomware attack before it happens to you.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Systems that have many users are intrinsically more difficult to protect, and (in principle) it is practically impossible to make such systems hack-proof. But there is nothing—either in principle or in practice—that prevents backing up a system. That's the rational approach.

    One wonders whether the backlash from the increasing number of ransomware and other cybercrime events will be rational ("I must take responsibility for the security of my data.") or irrational ("The government must do something, dammit!") The rational approach is guaranteed to work. The irrational approach is guaranteed to create more problems than it solves.

  • I was expecting you to write about this..and so you did.

    Another point of interest that I think the unprepared (and maybe even the prepared) fail to consider: it is indiscriminate; who cares about what the actual claim is? If they follow through with the promise and you do indeed recover your data, who is to say it doesn't happen again by the same bug or a strain of it?

    The BBC cited someone who says there is a new tactic: if you don't pay ransom your data will be published online. To that I wonder how they do that if it's encrypted.. because depending on what kind of content it'd take quite a long time to first download the victim's data (and dependent on the connection speed and other variables) before then encrypting it (and if not rate limited it could potentially saturate the link of the victim in which case raise an alarm if anyone is at the victim device).