The University of Calgary in Canada paid almost $16,000 dollars ($20,000 Canadian) to retrieve back the files that were stolen and held for ransom by hackers for over a week. Luckily, the bad guys cooperated and gave the university the decryption key to unlock the files (which hasn’t been the case for all ransomware victims). They do not know if the attacker was one person or a group or if it was local or international. They do believe the source was from outside of the university.
After paying the ransom, the university's IT staff was able to isolate the ransomware and restore affected portions of the network. But they still have a long way to go.
The university released a statement regarding the attack and said, “The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time.”
The idea of paying the ransom is controversial. On one hand, the affected organization needs their files back and on the other hand, paying the ransom will allow hackers to further their activities and give new hackers more incentive to start. The University of Calgary knew they had to pay the ransom because they couldn’t risk losing crucial data.
Linda Dalgetty, the university's Vice President of Finance and Services said, “We are a research institution. We are conducting world class research daily and we don’t know what we don’t know in terms of who’s been impacted and the last thing we want to do is lose someone’s life’s work."
The attack took down the university’s email, Skype, wireless network, and other services. Users of university computers were advised to leave them turned off for the time being. In all, more than 100 computers were affected by the ransomware, according to the Calgary Herald.
Kathy McDonald, a security specialist and former Calgary police officer, told the Calgary Herald that it came as no surprise that an institution like this became the victim of ransomware. She believes the attack originally came in from a spear-phishing campaign.
“Typically, the attack comes through a phishing email targeted generally at a privileged employee that looks like it’s from somebody important. And once it’s in, it holds your system for ransom, “ she said.
She added that hackers will do a lot of research before they make their attack by using social media, particularly LinkedIn, to find out information about employees. She said that LinkedIn is a “treasure trove of information about an organization.”
McDonald said that no organization, big or small, is immune to such attacks which is why backups, network security, and user education is incredibly important.