University of Calgary pays $20,000 ransom for their encrypted files.

[Resolute 14]

Quote:

Originally Posted by Locke

Don't they teach people to be IT guys? Why don't they have decent IT guys?

Those who can, do. Those who can't, teach.


My personal bet is that the U of C was doing backups, but was failing to check integrity on them. They probably learned that said backups were worthless and ended up left with little other choice.

That kind of happened to my employer. We had a backup plan, but it wasn't terribly robust. Shawmageddon took us down for a couple days. We were extremely fortunate that we didn't actually lose data, but it spurred a round of data integrity checking that revealed previously unknown failures. And a major project to improve our processes and systems.

[Resolute 14]

Quote:

Originally Posted by Azure

Is it confirmed to be Cryptolocker? There are newer types of ransomware around as well.

Also, and correct me if I'm wrong, but backups won't help you much if you backup on the same hard drive where the malware is?

If your organization is the size of the U of C and you don't have off-site backups, you need to replace your IT management.

[Azure]

So off-site alone is enough? What about on-site but in a separate NAS box? I just recall reading somewhere that backups alone won't help you if they are either on the same hard drive, or same network maybe?

We do on site, off site and cloud backups. And it really isn't that expensive to do.

[Resolute 14]

As your company already realized, redundancy and separation is the key.

On-site backups exist mostly so IT can get quick access when some idiot in HR deletes a mission critical file yesterday and realizes it today. And you are right. Keeping your backup on the same network as your active files can be disastrous as both active and stored data can get hit.

That's why you need those off-site back-ups that are segregated from your network.

[Hemi-Cuda]

Quote:

Originally Posted by Azure

So off-site alone is enough? What about on-site but in a separate NAS box? I just recall reading somewhere that backups alone won't help you if they are either on the same hard drive, or same network maybe?

We do on site, off site and cloud backups. And it really isn't that expensive to do.

We deal with Cryptolocker outbreaks a lot, since my company manages the IT environment for hundreds of smaller businesses. Usually they're easy to deal with, since a standard user opening the email attachment won't have access to anything beyond their local system and whatever network folders they've been assigned. The only way for this type of malware to infect your entire network (including backups) would be for it to run under domain admin credentials, which I've never actually seen

We've had one client actually have to pay to get their files decrypted, because they had no backup solution whatsoever

[Azure]

Our users all have varying levels of access to different folders and servers on our network, but none of them have access to where the on-site backups are stored. I suppose if this virus were to hit their computer, it wouldn't affect the backups because it could not gain access?

That is just the RAID setup on the server. We also have a NAS box setup onsite as well, and nobody at all has access to that except for one user.

The server does hourly backups, the onsite NAS box does daily, the offsite NAS does weekly. We are also in the process of physically duplicating our main DHCP server and putting it offsite, but connected to the same network in case there is a fire and the main server gets damaged.

My biggest concern is having the backups be affected as well.

[troutman]

Our office got hit by "Locky" ransomware about 2 months ago. Our most recent backup had failed, so we bit the bullet and paid the $2500 ransom. Kensington Wine Market paid the same ransom (less than us though). The virus was targeted at law and medical offices.

Some hospitals in the US also paid $20K for the key.

Our IT guy had to go to some dodgy cafe to buy bitcoins.

We have better protection now.

[Locke]

Quote:

Originally Posted by troutman

Our office got hit by "Locky" ransomware about 2 months ago. Our most recent backup had failed, so we bit the bullet and paid the $2500 ransom. Kensington Wine Market paid the same ransom (less than us though). The virus was targeted at law and medical offices.

Our IT guy had to go to some dodgy cafe to buy bitcoins.

We have better protection now.

I'm sorry to hear that.

Did you guys have to rock, paper, scissors to see who had to go to the dodgy cafe or was IT Buddy nominated because it was his fault?

[Inglewood Jack]

in the past year, the ransomware business has grown tenfold and is now in the hundreds of millions of dollars range. most cases are quietly resolved by payment, which is why we're not buried under a mountain of news stories about it. the trick for hackers is demanding just enough to make a good profit, but still cheaper than spending employee/consultant hours fixing it internally.

expect to continue hearing more and more cases of this going forward. it's very quickly becoming the scourge of the connected world.

[Resolute 14]

We got hit by it last year, but thanks to our Shawmaggedon experience, our backup processes are fairly robust. Took about 12 hours to down the file servers that were encrypted, restore from offsite backup, verify and restore access to users. No bitcoins paid.

[peter12]

Quote:

Originally Posted by Resolute 14

Those who can, do. Those who can't, teach.


My personal bet is that the U of C was doing backups, but was failing to check integrity on them. They probably learned that said backups were worthless and ended up left with little other choice.

That kind of happened to my employer. We had a backup plan, but it wasn't terribly robust. Shawmageddon took us down for a couple days. We were extremely fortunate that we didn't actually lose data, but it spurred a round of data integrity checking that revealed previously unknown failures. And a major project to improve our processes and systems.

The IT dept isn't staffed by profs.

[Locke]

Quote:

Originally Posted by peter12

The IT dept isn't staffed by profs.

Which...why not? Its not like IT profs need to publish or do research, part of their job could be running the Campus IT.

Balance the budget!

[ZedMan]

There is no 'IT' faculty. There's Computer Science and those guys are probably closer to mathematicians than IT admins.

[jammies]

I remember doing a project for the U of C around 2005 and the guy I was working with told me he had recently discovered a server in a closet that was connected to their network but nobody could tell him what it did or who put it there,. It was covered in dust and had obviously been there for years undisturbed. He wasn't allowed to take it down or disconnect because they were afraid it did something important.

[Resolute 14]

Quote:

Originally Posted by peter12

The IT dept isn't staffed by profs.

joke /jōk/

noun
1. a thing that someone says to cause amusement or laughter, especially a story with a funny punchline.
"she was in a mood to tell jokes"
synonyms: funny story, jest, witticism, quip; More

verb
1. make jokes; talk humorously or flippantly.
"she could laugh and joke with her colleagues"
synonyms: tell jokes, crack jokes; More

[Fuzz]

Quote:

Originally Posted by jammies

I remember doing a project for the U of C around 2005 and the guy I was working with told me he had recently discovered a server in a closet that was connected to their network but nobody could tell him what it did or who put it there,. It was covered in dust and had obviously been there for years undisturbed. He wasn't allowed to take it down or disconnect because they were afraid it did something important.

Man, that's like the big red button that says "do not push". You know you shouldn't push it, but damned if it wouldn't be tempting to shut it down just to see what might happen.

[Resolute 14]

^A server like that I would just unplug on the way out the door without telling anyone.

Either nothing happens, and you can take it away next time. Or something happens, and a mystery is solved.

[Superflyer]

Quote:

Originally Posted by Resolute 14

^A server like that I would just unplug on the way out the door without telling anyone.

Either nothing happens, and you can take it away next time. Or something happens, and a mystery is solved.

Yeah but if you unplug it after it running solid for years without issue, you just prey to all the gods that the disks don't seize up when you realize it was important.
It's pretty easy to figure out though. All servers should have a VGA and USB ports the very least. Hook up a monitor and keyboard and blamo, you can see what is on it (assuming you can log into it)

[Hack&Lube]

Quote:

Originally Posted by troutman

Our IT guy had to go to some dodgy cafe to buy bitcoins.

Since when are Waves Coffee or Cafe Blanca dodgy? (Both have Bitcoin ATMs). Also, Canada's biggest online Bitcoin exchange was started in Calgary 5 years ago (bought out now by a bigger company called Kraken but still in operation). In case anybody needs Bitcoins, those are places you can go.

[Buff]

Quote:

Originally Posted by Superflyer

Yeah but if you unplug it after it running solid for years without issue, you just prey to all the gods that the disks don't seize up when you realize it was important.
It's pretty easy to figure out though. All servers should have a VGA and USB ports the very least. Hook up a monitor and keyboard and blamo, you can see what is on it (assuming you can log into it)

Don't have to shut it down, just unplug the network cable to determine if it will do anything to your network.

Different story when you want to take it away though.