University of Calgary pays $20,000 ransom for their encrypted files.

[Fuzz]

And how much time/money/lost productivity is spent during the down time? I think the thieves and the institutions do the calculations, and often it makes a lot more sense to just pay.

[Yamer]

Quote:

Originally Posted by Russic

Whatever happened with this?

Our computer systems were unlocked at approximately 2:30 p.m. yesterday afternoon.

The official story is that an employee attempted to download and open an infected image file. They originally called it ransomware in the warning on Friday, then a virus on Sunday. Maybe it's the same thing in official lingo, but I'm not so sure.

They could be covering for PR reasons, but the official story is that they shut everything down before it could spread, quarantined it, and after scanning have restored all systems.

The College IT department has been on high alert concerning attacks for about 3 months, so this wasn't a huge surprise.

[Hack&Lube]

Quote:

Originally Posted by Rathji

UofC almost all profs have local admin rights on their PC. At that point, almost no malware protection in the world will stop a dedicated attacker using a 0-day, or similar exploit . Keep in mind these are targeted attacks, not just people clicking on random links or spam email attachments.

Local admin rights should not lead to full access rights to all network shares. Furthermore, there are anti-ransomware measures that can detect the process of files being encrypted and cut off access. You are right that a lot of these guys have figured out they can charge a certain price point where it's cheaper in terms of time and money for a business or institution to pay versus trying to restore and fix systems the legitimate way.

[Azure]

Go watch the OpenDNS Umbrella videos about how they deal with ransomware at the DNS level. 9/10 of the most popular ransomwares apparently do the encryption handshake at the DNS level, and OpenDNS customers are claiming they stop all ransomware incidents simply by implementing a service that costs around $20/year/user.

What does Cisco AMP cost?

[Hack&Lube]

Quote:

Originally Posted by Azure

Go watch the OpenDNS Umbrella videos about how they deal with ransomware at the DNS level. 9/10 of the most popular ransomwares apparently do the encryption handshake at the DNS level, and OpenDNS customers are claiming they stop all ransomware incidents simply by implementing a service that costs around $20/year/user.

What does Cisco AMP cost?

For up to 1000 users, the cost is about $12 per user per year (list price) when I got a quote in 2014. Organizations typically get up to a 50% discount off list so it's only about $5. Of course you might have to buy the entire email security appliance as well for $10,000.

[Rathji]

Quote:

Originally Posted by Hack&Lube

Local admin rights should not lead to full access rights to all network shares. Furthermore, there are anti-ransomware measures that can detect the process of files being encrypted and cut off access. You are right that a lot of these guys have figured out they can charge a certain price point where it's cheaper in terms of time and money for a business or institution to pay versus trying to restore and fix systems the legitimate way.

Thought I responded to this on my phone, but I guess it didn't get submitted.

Should not, but could if the machine has domain trust. There are many known methods of escalating local admin rights on a domain joined machine to domain rights.

You can't compare this attack to any previous click-a-attachment-encypt-my-documents-ransomware attack that just hits word docs and spreadsheets, this encrypted their "entire exchange server" which I am guessing means the database, but of course they have not released details. Off the shelf protections are likely of very limited use, even if they use a heuristic analysis to stop file encryption.

This is a targeted and likely customized attack using what is likely zero-day or otherwise unreported exploits to gain access. You cannot stop a dedicated attacker from obtaining access to your network, but you can try and make it hard enough to make it not worth it.

That's where the UofC failed in this case, and it cost them $20k.

[Hack&Lube]

Quote:

Originally Posted by Rathji

Thought I responded to this on my phone, but I guess it didn't get submitted.

Should not, but could if the machine has domain trust. There are many known methods of escalating local admin rights on a domain joined machine to domain rights.

You can't compare this attack to any previous click-a-attachment-encypt-my-documents-ransomware attack that just hits word docs and spreadsheets, this encrypted their "entire exchange server" which I am guessing means the database, but of course they have not released details. Off the shelf protections are likely of very limited use, even if they use a heuristic analysis to stop file encryption.

This is a targeted and likely customized attack using what is likely zero-day or otherwise unreported exploits to gain access. You cannot stop a dedicated attacker from obtaining access to your network, but you can try and make it hard enough to make it not worth it.

That's where the UofC failed in this case, and it cost them $20k.

I think it's more of a question of people facepalming that a local user on a workstation (as the ransomware vector is through the permissions of the user who clicked on the attachment) has permissions to make file-level changes on an Exchange mailbox server or infect the whole database availability group. That should never be possible.

[Rathji]

Quote:

Originally Posted by Hack&Lube

I think it's more of a question of people facepalming that a local user on a workstation (as the ransomware vector is through the permissions of the user who clicked on the attachment) has permissions to make file-level changes on an Exchange mailbox server or infect the whole database availability group. That should never be possible.

I don't think you understand.

If you have local admin rights on a domain joined PC, you can escalate those to domain rights with the proper exploits. I guess it shouldn't be possible because we should patch all those exploits or make sure that our policies and configurations don't allow them to succeed, but it can happen.

You are also assuming that this was a 'click-attachment' type of attack. They have not said it was, afaik, and assuming that this method was used for such a targeted attack probably not safe.