IT staff at the University of Calgary are believed to be still poring over its IT systems for encrypted data in the wake of one of the country’s biggest disclosed ransomware attacks.
Some 100 systems were hit by the malware.
But it was just one of a leap in reported ransomware attacks here. Security vendor Trend Micro has seen a 20 per cent uptick in malicious requests to command and control infrastructure from infected machines over the last three months, said Mark Nunnikhoven, the company’s Ottawa-based vice-president of cloud research.
“That works out to a few thousand requests a day,” he said, although not all would be unique. But it would include malware contacting C&C servers for the ransomware and the servers sending back decryption keys.
Ryan Kalember, senior vice-president of cybersecurity strategy at security vendor Proofpoint, said in a statement his firm recently stopped multiple campaigns that sent hundreds of millions of messages worldwide in a single day.
Because the university has turned the incident over to police it isn’t saying anything more than carefully-worded statements by university Linda Dalgetty earlier this week.
“At this point, we do have some encrypted machines,” Dalgetty told the Calgary Herald. “We have not used any of the decryption keys.” She also said the university paid the equivalent of $20,000 in Bitcoin for the keys.
“The university is now in the process of assessing and evaluating the decryption keys,” Dalgetty said in a June 7 statement on the university’s Web site. “The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time.”
It is believed that as of Thursday it had still not used the keys.
The university has emphasized that all faculty and staff are now able to use email through Microsoft Office 365. The university had started to migrate to that platform before the attack struck May 28. At that time it said on-premise email, Skype for Business, the administration VPN, the secure wireless network and the Microsoft Active Directory were showing system issues and asked faculty and staff not to use university-owned computers.
Understandably, because there is a criminal investigation the university isn’t saying anything more. But the fact that the decryption keys haven’t been used raised some eyebrows. ”What it sound like to me is they’re being very careful” about trying the keys, said Mark Nunnikhoven, Trend Micro’s Ottawa-based vice-president of cloud research.
An average user would immediately enter and decrypt files. “An organization like the University of Calgary has a good IT staff, good support structure, they have the resources, I imagine they’re taking a little bit more diligence round doing that. So what they will probably do is take a forensic copy of the machines that were infected and try the key. What that would do is give them a safe way to try it without impacting either the original evidence… but also it would give them a deeper understanding of what was going on.”
Paying the ransom has also drawn some debate. Dalgetty told CBC Radio that it paid because while it had a good understanding of who was impacted so far that might not be everyone. “We did not want to be in the position that we had exhausted the option to get people’s potential life work back,” if someone later discovered they couldn’t get their files. But some police and cybercrime experts believe that only encourages criminals.
“Our recommendation is not to pay,” Nunnikhoven said. “But you can understand the position the University of Calgary and other institutions are in. If you don’t have a backup and you do get infected it’s an extremely difficult decision to make because if it’s critical data to your and your business you need to dig deep and decide what the right move for you is.”
Better for the CISO is to avoid the situation by having multiple backups of data and to patch systems as soon as possible so attackers can’t take advantage of vulnerabilities.
Sherrods DeGrippo, Poofpoint’s director of emerging threats, adds this proviso: Some ransomware versions are able to search for attached storage, so CISOs need to ensure there is offline backup for best protection.
Without knowing details of the infection it’s difficult to analyze how the attack started, although ransomware creators typically hide their malware in attachments. Kellman Meghu, the Toronto-based head of data centre virtualization and infrastructure for Check Point Software, says that CISOs have to change their strategy.
Often organizations deploy malware detection in monitor-only detection mode. That has the benefit of not slowing down network traffic, he said, but increases risk. Better to be preventive with a solution that accounts for the possibility of zero-day exploits, he said, such as one that can scrub and release attachments — so end users experience no delay — then analyze the suspicious code.
Meanwhile infosec teams should note recent ransomware news:
—The SANS Internet Storm centre reports distributors of the CryptXXX ransomware are now using the Neutrino exploit kit as well as the Angler kit. A researcher found a compromised website with injected script from two different campaigns, the first time he’d seen two infections on the same site. Usually one cancels the other;
—Cisco’s Talos security blog claims that with its release of a new decryptor for the TeslaCrypt ransomware, “the battle is effectively over in that there is a decryptor for all versions of this ransomware variant.” Last month, the blog notes, those behind TeslaCrypt ransomware decided to stop their activities — probably because of fatal flaws in the malware’s code that led researchers and security vendors to find ways to break it — and released their master key.
You can bet these malware authors will try again.