University of Calgary pays $20,000 ransom for their encrypted files.

[Mazrim]

Quote:

Originally Posted by Hack&Lube

Since when are Waves Coffee or Cafe Blanca dodgy? (Both have Bitcoin ATMs). Also, Canada's biggest online Bitcoin exchange was started in Calgary 5 years ago (bought out now by a bigger company called Kraken but still in operation). In case anybody needs Bitcoins, those are places you can go.

They went the Hollywood route and met someone wearing a trenchcoat in a random café at 11 PM?

[Hack&Lube]

Quote:

Originally Posted by Mazrim

They went the Hollywood route and met someone wearing a trenchcoat in a random café at 11 PM?

"Pssst, you wanna buy some Bitcoins?"



My guess is IT guy was exaggerating or didn't know what he was doing.

[Russic]

If you have a website at all, you might as well use this as an excuse to take a moment to review your backup strategy. If this happened to you right now, what would you do? That even goes beyond your corporate website... might as well factor in your phone and home computers.

We used to offer backup services to our clients when we built them sites, but we found out that of the ones who decided to do it themselves, not a single one did any backups or updates. We pretty much had to make it a mandatory part of our projects just to save them from themselves.

[Vulcan]

There are anti-ransom wares out there. I can't say how effective they are but I installed Bitdefender Anti-ransomware.

https://labs.bitdefender.com/2016/03...cine-released/

[FanIn80]

Quote:

Originally Posted by jammies

I remember doing a project for the U of C around 2005 and the guy I was working with told me he had recently discovered a server in a closet that was connected to their network but nobody could tell him what it did or who put it there,. It was covered in dust and had obviously been there for years undisturbed. He wasn't allowed to take it down or disconnect because they were afraid it did something important.

It was probably an old Linux box that was running the key card server or something like that. You can just bury those things in a corner somewhere and never touch it again for a decade. Everyone uses the web interface to manage the cards and door access, etc, and they all just assume it's running off the DC or whatever, but nope. It's that old, brown piece of plastic sitting in the bottom of a closet covered in dust balls and spiderwebs that no one wants to touch.

[Rathji]

Quote:

Originally Posted by ZedMan

There is no 'IT' faculty. There's Computer Science and those guys are probably closer to mathematicians than IT admins.

The CPSC faculty manages it's own IT resources (mostly) independantly of the UCIT system. The guys who admin it are likely the most competent on the campus at doing this kind of thing. That doesn't mean they are perfect, mind you.

The reason they paid out was that it was faster to do that than recover backups for everything. IIRC their backup jobs run pretty much constantly and it would take forever to do a recovery of that size.

That said, it was almost certainly not Cryptolocker or TeslaCrypt, but was most than likely Locky.

The people who are running Locky are targeting businesses who they figure *must* pay or their business will lose more money due to the downtime. Can you imagine the chaos and money loss at the university if even just a handful of profs or a single department lost a day or 2 worth of data? You could be talking about results of projects that spanned many months and hundreds of man-hours. There was a big hospital in California a few months ago that paid an equivalent sum.

This isn't about the IT department being incompetent, and anyone who has ever dealt with this can tell you that even if you take every precaution, some idiot user will click on that email attachment or enable the macro in Word and you are pooched.

[Rathji]

Quote:

Originally Posted by Russic

If you have a website at all, you might as well use this as an excuse to take a moment to review your backup strategy. If this happened to you right now, what would you do? That even goes beyond your corporate website... might as well factor in your phone and home computers.

I don't have time to look it up now, but I am certain there are Locky variant for Android in the wild.

Quote:

Originally Posted by Vulcan

There are anti-ransom wares out there. I can't say how effective they are but I installed Bitdefender Anti-ransomware.

https://labs.bitdefender.com/2016/03...cine-released/

I use this on my personal machine, but it is a PITA to deploy to a company without going to every machine. I am actually involved in determining the best way to use this or a similar method for vaccinating our clients to Locky. Would welcome input if you know a way.

[peter12]

And from what I heard, they hit them right at convocation. The University needed the student data ASAP.

[Vulcan]

Quote:

Originally Posted by Rathji

I don't have time to look it up now, but I am certain there are Locky variant for Android in the wild.



I use this on my personal machine, but it is a PITA to deploy to a company without going to every machine. I am actually involved in determining the best way to use this or a similar method for vaccinating our clients to Locky. Would welcome input if you know a way.

All I know, which is very little, I got from reading this page.

http://askbobrankin.com/locked_the_l...ansomware.html

[Yamer]

Congratulations to my alma mater...they made a Cracked article:

http://www.cracked.com/article_24160...ow-614_p2.html

[Locke]

Quote:

Originally Posted by Yamer

Congratulations to my alma mater...they made a Cracked article:

http://www.cracked.com/article_24160...ow-614_p2.html

We're #1 7! We're #1 7!

[nik-]

Cracked is basically buzzfeed now

[Yamer]

Quote:

Originally Posted by nik-

Cracked is basically buzzfeed now

Apart from their weekly "The Most Insane Things...", how so?

[Yamer]

And it has just hit Red Deer College. We received a notification about 15 minutes ago and we are completely locked. It's the weekend for me, but the Students here are heading into spring term exams on Monday with no access to the system.

[Azure]

Is there no endpoint security on these networks? Cisco AMP or similar service?

[Rathji]

Quote:

Originally Posted by Azure

Is there no endpoint security on these networks? Cisco AMP or similar service?

UofC almost all profs have local admin rights on their PC. At that point, almost no malware protection in the world will stop a dedicated attacker using a 0-day, or similar exploit . Keep in mind these are targeted attacks, not just people clicking on random links or spam email attachments.

[Azure]

How does that lead to the entire network being shut down? Local admin rights shouldn't give them access to everything else should it?

[calumniate]

Quote:

Originally Posted by Yamer

And it has just hit Red Deer College. We received a notification about 15 minutes ago and we are completely locked. It's the weekend for me, but the Students here are heading into spring term exams on Monday with no access to the system.

Yikes

[Russic]

Quote:

Originally Posted by Yamer

And it has just hit Red Deer College. We received a notification about 15 minutes ago and we are completely locked. It's the weekend for me, but the Students here are heading into spring term exams on Monday with no access to the system.

Whatever happened with this?

[temple5]

I wonder what professor clicked on the fishing email to get this started. My guess is someone in Liberal Arts or Geology.

Off site backup via HP/Iron Mountain, Veeam etc will protect you. There will be some downtime as restores take time but no reason to pay these russian/chinese peeps.