Image by Daoleduc via GettyImages.ca
Image by Daoleduc via GettyImages.ca

Carleton University is still investigating the source of a computer attack Tuesday that infected over 3,000 PCs and temporarily interrupted service to students and faculty amid reports of a ransomware infection.

UPDATE: In an interview Thursday morning Beth Gorham, the university’s manager of public affairs, said remediation work is still ongoing but “quite a bit of things” haven’t yet been restored.

Some of the 3,200 Windows-based university workstations infected have been brought back online.

On Wednesday Gorham said the Computing and Communications Services staff have “made some progress … business operations at the university is continuing.”  She couldn’t say how many student-owned computers were infected.

“We have managed to resurrect all of our email services, there has been no impact on our CU Wireless system (the campus Wi-Fi), so everybody can log into the network and use their own system (PC) without any concerns. There has been no impact on our lab computers, no impact on our classroom PCs … No emails that were sent were lost because that system was not hindered. Also CU Learn, which is an online learning hub for our students, has not been impacted. Apparently only authentication was impacted, but we’re working with Microsoft to resolve any potential underlying issues.”

On Tuesday morning the university warned students and faculty not to connect to the network on campus because there was “an attempt by an external group or individual to hack into the IT network.”  At one point the university warned the community through its Web site that “any system accessible from the main network, that is Windows based, may have been compromised.”

However A few hours later it said “if users on campus are able to use their computer to conduct business, they are encouraged to do so.”

By 6 p.m. Tuesday Gorham, said in an interview that “we’re working hard on recovering our system usage. The university is open, classes are going on as scheduled.”

Because IT staff are still investigating she couldn’t comment on how the attack started, nor could she say if it addition to student-owned PCs the university’s servers had been infected. “There is no indication at all at this point that any personal information of students, faculty or staff was breached,” she added.

There are about 30,000 students plus 3,000 faculty and staff at the university.

One graduate student told CBC News on Tuesday  that “Our research is halted right now because all our computers are either shut down or infected.” Machines infected were demanding two bitcoin (about $1,962) for a key to unlock the code.

With their large student bodies and valuable research databases, universities are tempting targets. Some students — and universities — are willing to pay up to not have work on their computers unreachable. Earlier this year the University of Calgary paid $20,000 for decryption keys after some 100 PCs ir servers were hit by the malware. It isn’t clear, though, if the university had to use the keys or was able to recover the data either from backups or other ways.

Ransomware’s attractiveness to attackers is obvious: For the cost of merely sending out thousands of  spam-filled email attachments they can get back tens of thousands of dollars. This has given rise on the so-called Dark Web to ransomware-as-a-service, custom ransomware and creative derivatives from open-source ransomware, noted a report issued Tuesday by McAfee Labs.

Because of the reluctant of victims to report being struck accurate data is hard to come by. But there is some evidence Canadians are more willing than others to pay up. According to a survey by Malwarebytes 75 per cent of the Canadian respondents who said their organizations were hit during the 12 months ending in June paid ransoms to get their computers unlocked. By comparison only three per cent of U.S. victim organizations paid, 22 per cent in Germany and 58 per cent in the U.K.

For end users the best defence is to be suspicious of every messages asking to click on an attachment or a link to a Web site without first slowly looking at who it came from. For CISOs the best defence is tested backup and recovery.