Ransomware Virus Infected Local CC
I was trying to register for Winter courses at my local community college last week, and the website wasn't working. I found that to be extremely odd to have the website be down for a week leading up to a new semester, but I thought 'oh well, that's community college for ya' lol!
Fast forward to today...
I received an email about twenty minutes ago saying that the school's servers were infected with a ransomware virus, and the school decided to pay up in exchange for a 'key' in order to access their hundreds of thousands of files being held random.
Here is the email,
"This is a follow up message on the malicious cyber activity that the LACCD is investigating that has disrupted many computer, online, email, and voice mail systems at LAVC. In consultation with district and college leadership, outside cybersecurity experts and law enforcement, a $28,000 payment was made by the District.
It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost.
After payment was made, a 'key' was delivered to open access to our computer systems. The process to 'unlock' hundreds of thousands files will be a lengthy one, but so far, the key has worked in every attempt that has been made.
Our information technology department has a plan in place to bring back servers in a logical manner that prioritize key college services that impact communications with students, faculty and staff. There currently isn’t a set time table for when all communication services are restored."
I'm guessing they used bitcoin? It's untraceable, right?
Anyways, thought this forum would think this was interesting
Fast forward to today...
I received an email about twenty minutes ago saying that the school's servers were infected with a ransomware virus, and the school decided to pay up in exchange for a 'key' in order to access their hundreds of thousands of files being held random.
Here is the email,
"This is a follow up message on the malicious cyber activity that the LACCD is investigating that has disrupted many computer, online, email, and voice mail systems at LAVC. In consultation with district and college leadership, outside cybersecurity experts and law enforcement, a $28,000 payment was made by the District.
It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost.
After payment was made, a 'key' was delivered to open access to our computer systems. The process to 'unlock' hundreds of thousands files will be a lengthy one, but so far, the key has worked in every attempt that has been made.
Our information technology department has a plan in place to bring back servers in a logical manner that prioritize key college services that impact communications with students, faculty and staff. There currently isn’t a set time table for when all communication services are restored."
I'm guessing they used bitcoin? It's untraceable, right?
Anyways, thought this forum would think this was interesting
Comments
-
gespenstern Member Posts: 1,243 ■■■■■■■■□□Yawn.
Can't even come up with anything meaningful as everything was said many, many times. I'm not even going to ask where their backups were and stuff like that. -
TheFORCE Member Posts: 2,297 ■■■■■■■■□□gespenstern wrote: »Yawn.
Can't even come up with anything meaningful as everything was said many, many times. I'm not even going to ask where their backups were and stuff like that.
Yep that was my first thought too.
Bad move to pay the money, now the attacker knows that you will pay in the future, so what is stopping them from doing it again 5- months or 1 year down the road? And really they consulted "cyber security experts" and the law enforcement and they agreed to pay? seriously? All literature out there and white papers and articles and everything from leading cyber security experts say to not pay the money. Who were these people that agreed? -
thomas_ Member Posts: 1,012 ■■■■■■■■□□Use of tuition dollars at its finest. I'm sure the college's president will get a hefty raise for leading the college through such a difficult time.
-
dhay13 Member Posts: 580 ■■■■□□□□□□I am a little surprised that they announced the attack in that manner. A simple email stating they had experienced a technical issue would have been sufficient and not been as damaging to the schools reputation. Unless there was a breach involving PII and legal disclosure then I would think it best to not let that info out?
-
Hunter91 Member Posts: 10 ■□□□□□□□□□I am a little surprised that they announced the attack in that manner. A simple email stating they had experienced a technical issue would have been sufficient and not been as damaging to the schools reputation. Unless there was a breach involving PII and legal disclosure then I would think it best to not let that info out?
I was also surprised they were so transparent about the issue and resolution. -
TechGromit Member Posts: 2,156 ■■■■■■■■■□In consultation with district and college leadership, outside cybersecurity experts and law enforcement, a $28,000 payment was made by the District.
Maybe the cyber security experts can educate them that backup server are considerately cheaper than 28k and have an even higher provability to recovering lost information. But that's the way thing usually go in IT, it's not a consideration until it's an emergency. With a proper backup policy, it sould have been wipe the servers, reinstall op system, restore backups. Also restricting access to only the people that absolutely need it would minimize damage. I'm in cyber security, but have no access to any of the onsite servers, cause I don't need it.Still searching for the corner in a round room. -
Verities Member Posts: 1,162TechGromit wrote: »Maybe the cyber security experts can educate them that backup server are considerately cheaper than 28k and have an even higher provability to recovering lost information. But that's the way thing usually go in IT, it's not a consideration until it's an emergency. With a proper backup policy, it sould have been wipe the servers, reinstall op system, restore backups. Also restricting access to only the people that absolutely need it would minimize damage. I'm in cyber security, but have no access to any of the onsite servers, cause I don't need it.
I do agree with you, but it probably spread to their backup servers as well, but given what occurred, they clearly didn't have off site backups (whether cloud or physical) that may not have been affected by it. -
Verities Member Posts: 1,162Yep that was my first thought too.
Bad move to pay the money, now the attacker knows that you will pay in the future, so what is stopping them from doing it again 5- months or 1 year down the road? And really they consulted "cyber security experts" and the law enforcement and they agreed to pay? seriously? All literature out there and white papers and articles and everything from leading cyber security experts say to not pay the money. Who were these people that agreed?
Unless you have a way to decrypt all the information that was affected by the ransomware or without some sort of backup elsewhere they had little choice. Also, they'll probably get the money back through subsidies from the Government. -
NetworkingStudent Member Posts: 1,407 ■■■■■■■■□□ok I'm just curious.............
Sounds like the college handled this very poorly, I hope Mr. hunter chooses to go to another college.When one door closes, another opens; but we often look so long and so regretfully upon the closed door that we do not see the one which has opened."
--Alexander Graham Bell,
American inventor -
Rumblr33 Member Posts: 99 ■■□□□□□□□□This is interesting in the fact that the college was so candid about paying the ransom and the process it is taking to restore the servers. There is no doubt in my mind, they will be targeted again and this time with malware package that will include some type of data exfiltration. I do not agree with paying the ransom as most have stated, this is like negotiating with terrorist. Even if they did negotiate, Hollywood Presbyterian settled for less of a requested ransom, why couldn't the community college. $28,000 seems steep to me, but I don't know how valuable their data is.
-
jcundiff Member Posts: 486 ■■■■□□□□□□and they wonder why ransomware is a billion dollar industry (2016 estimated numbers) colleges are easy hanging fruit since they are typically behind even the healthcare industry when it comes to security... Back your sh1t up! basic security hygiene.. a well defined back-up program would have prevented this... at least Hunter91 will know why tuition takes a hike next semester :O"Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
-
TechGromit Member Posts: 2,156 ■■■■■■■■■□Even if they did negotiate, Hollywood Presbyterian settled for less of a requested ransom, why couldn't the community college. $28,000 seems steep to me, but I don't know how valuable their data is.
Who knows maybe 28k is the negotiated rate. Also depends on how they got hit by ransomware, it was by spam email or a website download, it could be as simple as the average ransom of $300 per computer times the number of computers / servers affected.Still searching for the corner in a round room. -
Node Man Member Posts: 668 ■■■□□□□□□□$28k == poetic justice? Sounds like the amount for a years tuition.
-
Moldygr33nb3an Member Posts: 241So many organizations pay the ransom because they fail to maintain their backups properly. I'm actually surprised they delivered the key. It's becoming a steady trend a lot of these groups aren't delivering the key after payment has been made. I think the reputation has been "good" as far as key delivery, and now others are getting in on it with no intention on providing the decryption key.
Oh boy.
On second thought, maybe they will sink their own "industry." Eventually people and organizations will stop paying the ransom because they know the probability of receiving the key is next to none. -
Rumblr33 Member Posts: 99 ■■□□□□□□□□TechGromit wrote: »Who knows maybe 28k is the negotiated rate. Also depends on how they got hit by ransomware, it was by spam email or a website download, it could be as simple as the average ransom of $300 per computer times the number of computers / servers affected.
This still seems high to me. I also found out they paid the ransom via their cybersecurity insurance and this leads me to believe there was no negotiation.
https://services.laccd.edu/districtsite/docs/LAVC_Cybersecurity_Event_FAQ_from_President_Endrijonas.pdf -
TechGromit Member Posts: 2,156 ■■■■■■■■■□Moldygr33nb3an wrote: »It's becoming a steady trend a lot of these groups aren't delivering the key after payment has been made.
Shocking, where is the work ethic among thieves. It's almost getting embarrassing getting called a criminal.Still searching for the corner in a round room. -
TechGromit Member Posts: 2,156 ■■■■■■■■■□
So the district is advanced enough to have a cybersecurity protocol in place, but no backup strategy? The good news is they do not offer an associates degree in computer science because I don't think they are qualified to teach A+ certification night courses. My guess is there backup strategy consisted on disk to disk online backups. Convenient, but not wisest of solutions.Still searching for the corner in a round room. -
Qord Member Posts: 632 ■■■■□□□□□□That sucks, I would not want to be a member of that IT team right now.This still seems high to me. I also found out they paid the ransom via their cybersecurity insurance and this leads me to believe there was no negotiation.
https://services.laccd.edu/districtsite/docs/LAVC_Cybersecurity_Event_FAQ_from_President_Endrijonas.pdf
The fact that they say "hundreds of thousands" of files need to be unlocked make me wonder if backups are not their biggest problem.$28k == poetic justice? Sounds like the amount for a years tuition.
Or maybe a disgruntled salary... -
themanwholaughs Member Posts: 27 ■■■□□□□□□□Yeah like people have said before don't think the IT team had decent backups. I have decrypted ransomware myself for a family friend and they didn't have any backups. Its good tho at the time the creators of that ransomware released the master key.
Backups are good way to stop ransomware but also user education is the top thing they need. There's ways to stop the ransomware from even running on the servers now like using software restriction policies or use CryptoLocker Prevention kit. Spam and Email filters up to date and always checking files for malicious attachments. The software restriction policies makes a the files not able to run where ransomware normally runs. Countless businesses seem not really put the effort in to stop the ransomware so they get court out in the emergency. -
MAC_Addy Member Posts: 1,740 ■■■■□□□□□□I'm confused - they received an e-mail stating the files were locked? They didn't notice their files were locked?2017 Certification Goals:
CCNP R/S -
gespenstern Member Posts: 1,243 ■■■■■■■■□□TechGromit wrote: »So the district is advanced enough to have a cybersecurity protocol in place, but no backup strategy? The good news is they do not offer an associates degree in computer science because I don't think they are qualified to teach A+ certification night courses. My guess is there backup strategy consisted on disk to disk online backups. Convenient, but not wisest of solutions.
You can easily make this solution "ransomware ready". Just make sure to connect a mapped drive before and disconnect a mapped drive after if you do it over SMB and do it under a designated backup account that doesn't have a mailbox and can't click on suspicious attachments, so backups can be read/written only by backup account and nobody else. If the backup media appears local (SAN, etc) disable automount for appropriate drives, start your backup with mounting and finish with unmounting.
I haven't seen any ransomware families that would care about anything besides local drives and network SMB shares. So if your backup is over, let's say, FTP or proprietary thing -- you are fine. If it runs under a backup account and the copies are restricted for anybody else -- you are fine.