Ransomware has been long recognized as a global threat, capable of hitting enterprises and consumers, and the University of Calgary is the latest organization to have fallen victim to this type of cyber-attack.
Today, the university announced that a ransomware attack hit its systems several days ago and that it was forced to give in and pay the demanded $20,000 CAD (around $15,000 USD) ransom to regain access to encrypted files. The university has also contacted authorities to investigate the issue, and says that its IT teams are working on addressing the issue.
Ransomware attacks have been detailed numerous times over the past several months, mainly because of an impressive increase in the number of malware families used and the broad range of targets. A dominating cyber-threat, ransomware provides cybercriminals with the prospect of fast income over small investment. Furthermore, ransomware does not require advanced technical skills to be used, mainly because some employ it as a service.
In a statement published on the university’s website, Linda Dalgetty, Vice-President, Finance and Services, said that the organization decided to pay the ransom as “part of efforts to maintain all options” to resolve the issues affecting its systems. However, she also confirms that it was a ransomware attack, which involves encrypting data on computers and computer networks.
Typically during a ransomware attack, after the data has been encrypted, the malware displays a ransom note that directs users to a payment page. Payments are usually made using crypto currencies, as they provide anonymity, and, as soon as the ransom has been paid, cybercriminals provide victims with keys that can be used to decrypt their files.
Dalgetty notes that the university is in the “process of assessing and evaluating the decryption keys,” but also warns that the “actual process of decryption is time-consuming and must be performed with care.” She explains that “these decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time.”
Although Dalgetty didn’t offer details on the malware that was used in this attack, she did reveal that the incident happened 10 days ago and that the UCalgary IT teams managed to isolate the effects of the attack and to restore some of the systems. On Monday, they restored access to email for faculty and staff, she said, adding that there is no indication that users’ personal data or other university data was released to the public during this attack.
Ransomware usually spreads via spam email campaigns and exploit kits, but there are also families that employ other techniques, such as RDP brute force attacks or removable drives. Cybercriminals were also observed using compromised RDP servers in corporate ransomware attacks, as well as via malicious versions of legitimate applications.