Skip to main content

The University of Calgary is still cleaning up after hackers extorted $20,000, reports Simona Chiose. It's called ransomware and it's fast becoming a global problem, writes Bertrand Marotte

Paying the $20,000 ransom was the beginning of the end of almost two weeks of a crisis at the University of Calgary's IT department.

But it was not the end. The department is now busy decrypting the files that had been locked in a hostile computer program attack, known as malware. It has also set up booths on campus where staff and faculty can get help resetting passwords for their e-mail and WiFi access – all passwords have been wiped in response to the attack.

So far no one has any answers about how hackers got into the university's computer system 10 days ago and cut off access to services such as e-mail, Skype and wireless access. The school's IT department worked to restore service but when it became clear that it could not do so, it paid the fee demanded by hackers for the encryption keys.

The Calgary Police Service is investigating the case.

What is certain is that unless organizations work to stay a few steps ahead of tomorrow's attack, universities will be hit again.

"I've been sort of waiting for this because universities are notorious for having terrible security," said Gabriella Coleman, an expert on hacker culture and the Wolfe Chair in Scientific and Technological Literacy at McGill University. "It will be interesting to see the effect of this attack – especially if there are a few more attacks – if universities will really start to hire the security teams I think they should," she said.

Other security experts have warned that giving in to the demands of info kidnappers is a risky move that can lead to the payer being identified as a good target.

"There are all sorts of things that should be good best practices. If people are paying this sort of money, it shows they are not implementing them," said Dr. Coleman, who has written two books on hacker culture.

No one from the university was available to talk about the security measures that had been in place. Frequent memos from the school's IT department, however, reveal the daily struggle to resolve the issue that was going on behind the scenes.

Once an infected file is inside the system, the crypto-ransomware connects to an IP address and downloads a public key.
It searches for important file extensions such as .doc, .jpg and .pdf – productivity files that a user normally creates.
The crypto-ransomware generates a key for each file and then encrypts them.

Saturday, May 28, 2016

Bart Beaty's phone rang at 6:30 a.m on that Saturday morning. Dr. Beaty was one of the lead organizers for this year's Congress of the Humanities and Social Sciences, an annual academic conference that brings thousands of professors to the hosting university. This year, it was the University of Calgary's turn – May 28 was the first day of the conference.

"We had to go to registration and see if the computers were working and if 8,000 people could register or not," Dr. Beaty said.

Because the event had been set up on a separate WiFi server, many attendees were not affected. But the Excel sheets organizers had built, with the names of hundreds of volunteers, were stored on the university's computers and had to be recreated by hand.

"People have been working with paper for a long time, so we were able to do that," said Dr. Beaty, also an English professor at the university.

That same morning, the school sent out an e-mail telling staff and faculty that e-mail and many databases were acting up.

Hours later, at 10 p.m. that evening, the IT department admitted that problems were caused by ransomware, a type of malware. Everyone should stop using any computers belonging to the university, it advised.

The crypto-ransomware then writes the encrypted key at the beginning of each file.
The victim receives a message on their screen with instructions on how to pay the ransom, usually in Bitcoin, an anonymous and untraceable digital currency.
The victim purchases Bitcoins (1 Bitcoin is currently worth about $735) and transfers it to the attacker’s Bitcoin address.

May 29

On Sunday night, the university said "teams are continuing to work around the clock." It provided no ETA of when systems would be back up. Meanwhile, the campus was buzzing with the congress attendees and organizers.

"We were using something like 60 walkie-talkies around campus. We always have them," Dr. Beaty said. "In some ways, it was the best week for this to happen. … We weren't scrambling to find new things."

May 30

Posters began to appear on campus asking people not to use computers issued by the university. Updates were pushed out over the school's emergency app.

The victim sends the transfer ID to the attacker as proof of payment.
Once the transaction is complete, the attacker sends the decryption instructions to the victim. It is not unknown for the attacker to instead demand more money. (Source: trendmicro.com Graphics: Trish McAlaster/The Globe and Mail)

May 31

To respond to demands to get some kind of communication tool up and running, the IT department announced that it would create new e-mail accounts hosted outside the university's servers.

The move, however, meant that contacts and calendars could be lost forever. The solution? Printing off the information, Day-timer style.

A few days later, the department managed to restore e-mail access.

June 7

The university announced that it paid the "ransom" in order to ensure access to research data. Worldwide media attention is focused on Calgary as a result.

So far, Calgary Police have not laid any charges in any of the ransomware investigations it has conducted over the past few years, said Detective Ryan Jepson, acting inspector in the technical operations section.

Eight officers are assigned to a cybercrime support team and a new investigation unit will be created this fall, he added. In the Calgary case, the first job will be to figure out where the ransomware was made, something that private software companies can help with.

"It has to be a global effort for cybercrime, because it's global in nature," Det. Jepson said.

What is ransomware?

Ransomware is malware that blocks users from some or all of the data in their systems. The more advanced form of ransomware is known as crypto-ransomware, which encrypts the targeted system or files, allowing the attacker to demand a ransom in exchange for the necessary decrypt key to unlock the data.

How does ransomware get in?

There are a variety of ways in which ransomware can break into an individual's personal computer, mobile phone or other device, or into a company or organization's computer system. Ransomware can infiltrate with the simple click on a link contained in a mass e-mail to employees of a company. In one documented incident, employees received fake invoices from a well-known ride-sharing service suggesting that huge fees were owed. All it took was one click from a panicky staffer to infect the whole system.

If proper firewalls are not in place or the malware is not detected in time, it installs itself and begins encrypting data.

Three years ago, ransomware infected Android mobile devices by posing as an anti-virus program that had discovered "critical threats," according to a report by U.S. cybersecurity think tank Institute for Critical Infrastructure Technology. Victims were coerced into paying for a fake software licence. Another method involved the mimicking of an adult website application; once installed, the app flashed a law-enforcement warning and demanded a $500 (U.S.) fine to unlock the device.

How prevalent is it?

Individuals, companies, public institutions – including hospitals, schools, churches and law enforcement agencies – law firms and financial institutions are increasingly being targeted. Critical services such as fire, police and hospitals make easy targets.

The Institute for Critical Infrastructure Technology report says 2016 is shaping up to be "the year ransomware will wreak havoc on America's critical infrastructure community."

Ransomware is increasingly popular among cyber-attackers because it is a "volume business." It's simple, relatively anonymous and fast. Some people will pay, some will not pay, so what. With a wide enough set of targets, there is enough upside for these types of attack to generate a steady revenue stream," said Brian Contos, vice-president and chief security strategist at Securonix, a security analytics firm.

Recent victims include the University of Calgary, Kansas Heart Hospital in Wichita, Hollywood Presbyterian Medical Center in Los Angeles and MedStar Health in Washington, D.C.

Network service provider Infoblox says there was a 35-fold increase in observations of ransomware-related domains in the first quarter of 2016. The FBI recently disclosed that ransomware victims in the U.S. reported costs of $209-million in the first quarter of 2016, up dramatically from $24-million for all of 2015, according to Infoblox. And that doesn't include all the unreported cases.

Canada last month announced a major co-operative effort with the U.S., Britain, Australia and New Zealand to use their secretive electronic-intelligence-gathering assets to go after cybercriminals. The Canadian Cyber Incident Response Centre (CCIRC) is aware of 1,762 cybersecurity-related incidents last year, including thefts of intellectual property from foreign governments and a significant rise in the use of ransomware.

What can be done to guard against attack?

There is no foolproof way to prevent attack, but measures to minimize the risk include regularly updating anti-attack software and firewalls; backing up files based on the 3-2-1 rule: 3 backup copies located on 2 different platforms with one backup located separately; and ensuring employees know the dangers of potentially disruptive e-mails and hyperlinks.

"Tight security measures, up-to-date software, user best practices and clean, protected backup data" are fundamental, says Infoblox.

What action can be taken in the event of an attack?

Institutions often find they have no choice but to pay the ransom to get their data back. Some companies and organizations have even been stocking up on bitcoins in the event they are targeted and need to pay up.

But some cybersecurity experts and law-enforcement officials say paying the ransom only encourages and emboldens cybercriminals.

Hollywood Presbyterian reportedly tried to thwart its attackers by switching to paper medical records and forms but ended up paying the equivalent of about $17,000 in bitcoins to get its locked systems back up.

In some cases, a one-time payment isn't enough. "Unfortunately, even when organizations have paid up, attackers have been known to ask for more money, said Chris Mayers, chief security architect at Citrix Systems Inc. in London.

With a report from Robert Fife