Ransomware Virus Infected Local CC

Hunter91

I was trying to register for Winter courses at my local community college last week, and the website wasn't working. I found that to be extremely odd to have the website be down for a week leading up to a new semester, but I thought 'oh well, that's community college for ya' lol!

Fast forward to today...

I received an email about twenty minutes ago saying that the school's servers were infected with a ransomware virus, and the school decided to pay up in exchange for a 'key' in order to access their hundreds of thousands of files being held random.

Here is the email,

"This is a follow up message on the malicious cyber activity that the LACCD is investigating that has disrupted many computer, online, email, and voice mail systems at LAVC. In consultation with district and college leadership, outside cybersecurity experts and law enforcement, a $28,000 payment was made by the District.

It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost.

After payment was made, a 'key' was delivered to open access to our computer systems. The process to 'unlock' hundreds of thousands files will be a lengthy one, but so far, the key has worked in every attempt that has been made.

Our information technology department has a plan in place to bring back servers in a logical manner that prioritize key college services that impact communications with students, faculty and staff. There currently isn’t a set time table for when all communication services are restored."

I'm guessing they used bitcoin? It's untraceable, right?

Anyways, thought this forum would think this was interesting

gespenstern

Yawn.

Can't even come up with anything meaningful as everything was said many, many times. I'm not even going to ask where their backups were and stuff like that.

TheFORCE

gespenstern wrote: »

Yawn.

Can't even come up with anything meaningful as everything was said many, many times. I'm not even going to ask where their backups were and stuff like that.

Yep that was my first thought too.

Bad move to pay the money, now the attacker knows that you will pay in the future, so what is stopping them from doing it again 5- months or 1 year down the road? And really they consulted "cyber security experts" and the law enforcement and they agreed to pay? seriously? All literature out there and white papers and articles and everything from leading cyber security experts say to not pay the money. Who were these people that agreed?

thomas_

Use of tuition dollars at its finest. I'm sure the college's president will get a hefty raise for leading the college through such a difficult time.

dhay13

I am a little surprised that they announced the attack in that manner. A simple email stating they had experienced a technical issue would have been sufficient and not been as damaging to the schools reputation. Unless there was a breach involving PII and legal disclosure then I would think it best to not let that info out?

Hunter91

dhay13 wrote: »

I am a little surprised that they announced the attack in that manner. A simple email stating they had experienced a technical issue would have been sufficient and not been as damaging to the schools reputation. Unless there was a breach involving PII and legal disclosure then I would think it best to not let that info out?

I was also surprised they were so transparent about the issue and resolution.

TechGromit

Hunter91 wrote: »

In consultation with district and college leadership, outside cybersecurity experts and law enforcement, a $28,000 payment was made by the District.

Maybe the cyber security experts can educate them that backup server are considerately cheaper than 28k and have an even higher provability to recovering lost information. But that's the way thing usually go in IT, it's not a consideration until it's an emergency. With a proper backup policy, it sould have been wipe the servers, reinstall op system, restore backups. Also restricting access to only the people that absolutely need it would minimize damage. I'm in cyber security, but have no access to any of the onsite servers, cause I don't need it.

Verities

TechGromit wrote: »

Maybe the cyber security experts can educate them that backup server are considerately cheaper than 28k and have an even higher provability to recovering lost information. But that's the way thing usually go in IT, it's not a consideration until it's an emergency. With a proper backup policy, it sould have been wipe the servers, reinstall op system, restore backups. Also restricting access to only the people that absolutely need it would minimize damage. I'm in cyber security, but have no access to any of the onsite servers, cause I don't need it.

I do agree with you, but it probably spread to their backup servers as well, but given what occurred, they clearly didn't have off site backups (whether cloud or physical) that may not have been affected by it.

Verities

TheFORCE wrote: »

Yep that was my first thought too.

Bad move to pay the money, now the attacker knows that you will pay in the future, so what is stopping them from doing it again 5- months or 1 year down the road? And really they consulted "cyber security experts" and the law enforcement and they agreed to pay? seriously? All literature out there and white papers and articles and everything from leading cyber security experts say to not pay the money. Who were these people that agreed?

Unless you have a way to decrypt all the information that was affected by the ransomware or without some sort of backup elsewhere they had little choice. Also, they'll probably get the money back through subsidies from the Government.

NetworkingStudent

ok I'm just curious.............

Sounds like the college handled this very poorly, I hope Mr. hunter chooses to go to another college.

Rumblr33

This is interesting in the fact that the college was so candid about paying the ransom and the process it is taking to restore the servers. There is no doubt in my mind, they will be targeted again and this time with malware package that will include some type of data exfiltration. I do not agree with paying the ransom as most have stated, this is like negotiating with terrorist. Even if they did negotiate, Hollywood Presbyterian settled for less of a requested ransom, why couldn't the community college. $28,000 seems steep to me, but I don't know how valuable their data is.

jcundiff

and they wonder why ransomware is a billion dollar industry (2016 estimated numbers) colleges are easy hanging fruit since they are typically behind even the healthcare industry when it comes to security... Back your sh1t up! basic security hygiene.. a well defined back-up program would have prevented this... at least Hunter91 will know why tuition takes a hike next semester :O

TechGromit

Rumblr33 wrote: »

Even if they did negotiate, Hollywood Presbyterian settled for less of a requested ransom, why couldn't the community college. $28,000 seems steep to me, but I don't know how valuable their data is.

Who knows maybe 28k is the negotiated rate. Also depends on how they got hit by ransomware, it was by spam email or a website download, it could be as simple as the average ransom of $300 per computer times the number of computers / servers affected.

Node Man

$28k == poetic justice? Sounds like the amount for a years tuition.

Moldygr33nb3an

So many organizations pay the ransom because they fail to maintain their backups properly. I'm actually surprised they delivered the key. It's becoming a steady trend a lot of these groups aren't delivering the key after payment has been made. I think the reputation has been "good" as far as key delivery, and now others are getting in on it with no intention on providing the decryption key.

Oh boy.

On second thought, maybe they will sink their own "industry." Eventually people and organizations will stop paying the ransom because they know the probability of receiving the key is next to none.

Rumblr33

TechGromit wrote: »

Who knows maybe 28k is the negotiated rate. Also depends on how they got hit by ransomware, it was by spam email or a website download, it could be as simple as the average ransom of $300 per computer times the number of computers / servers affected.

This still seems high to me. I also found out they paid the ransom via their cybersecurity insurance and this leads me to believe there was no negotiation.

https://services.laccd.edu/districtsite/docs/LAVC_Cybersecurity_Event_FAQ_from_President_Endrijonas.pdf

TechGromit

Moldygr33nb3an wrote: »

It's becoming a steady trend a lot of these groups aren't delivering the key after payment has been made.

Shocking, where is the work ethic among thieves. It's almost getting embarrassing getting called a criminal.

TechGromit

Rumblr33 wrote: »

https://services.laccd.edu/districtsite/docs/LAVC_Cybersecurity_Event_FAQ_from_President_Endrijonas.pdf

So the district is advanced enough to have a cybersecurity protocol in place, but no backup strategy? The good news is they do not offer an associates degree in computer science because I don't think they are qualified to teach A+ certification night courses. My guess is there backup strategy consisted on disk to disk online backups. Convenient, but not wisest of solutions.

Qord

That sucks, I would not want to be a member of that IT team right now.

Rumblr33 wrote: »

This still seems high to me. I also found out they paid the ransom via their cybersecurity insurance and this leads me to believe there was no negotiation.

https://services.laccd.edu/districtsite/docs/LAVC_Cybersecurity_Event_FAQ_from_President_Endrijonas.pdf

The fact that they say "hundreds of thousands" of files need to be unlocked make me wonder if backups are not their biggest problem.

Node Man wrote: »

$28k == poetic justice? Sounds like the amount for a years tuition.

Or maybe a disgruntled salary...

themanwholaughs

Yeah like people have said before don't think the IT team had decent backups. I have decrypted ransomware myself for a family friend and they didn't have any backups. Its good tho at the time the creators of that ransomware released the master key.

Backups are good way to stop ransomware but also user education is the top thing they need. There's ways to stop the ransomware from even running on the servers now like using software restriction policies or use CryptoLocker Prevention kit. Spam and Email filters up to date and always checking files for malicious attachments. The software restriction policies makes a the files not able to run where ransomware normally runs. Countless businesses seem not really put the effort in to stop the ransomware so they get court out in the emergency.

MAC_Addy

I'm confused - they received an e-mail stating the files were locked? They didn't notice their files were locked?

gespenstern

TechGromit wrote: »

So the district is advanced enough to have a cybersecurity protocol in place, but no backup strategy? The good news is they do not offer an associates degree in computer science because I don't think they are qualified to teach A+ certification night courses. My guess is there backup strategy consisted on disk to disk online backups. Convenient, but not wisest of solutions.

You can easily make this solution "ransomware ready". Just make sure to connect a mapped drive before and disconnect a mapped drive after if you do it over SMB and do it under a designated backup account that doesn't have a mailbox and can't click on suspicious attachments, so backups can be read/written only by backup account and nobody else. If the backup media appears local (SAN, etc) disable automount for appropriate drives, start your backup with mounting and finish with unmounting.

I haven't seen any ransomware families that would care about anything besides local drives and network SMB shares. So if your backup is over, let's say, FTP or proprietary thing -- you are fine. If it runs under a backup account and the copies are restricted for anybody else -- you are fine.