As if the education industry isn’t dealing with enough issues stemming from COVID-19, the University of Utah revealed that they had recently suffered a serious ransomware attack, costing them over 400K, a ransom paid to prevent student information from being leaked on the dark web. What makes this case unique is that the University of Utah was able to restore their systems from backups, only to find that they were still in deep trouble.
The University of Utah posted a notice on their website stating, "On Sunday, July 19, 2020, computing servers in the University of Utah’s College of Social and Behavioural Science (CSBS) experienced a criminal ransomware attack, which rendered its servers temporarily inaccessible. The university notified appropriate law enforcement entities, and the university’s Information Security Office (ISO) investigated and resolved the incident in consultation with an external firm that specializes in responding to ransomware attacks."
The university took several steps to mitigate the attack, which they shared with readers, saying, "CSBS servers were immediately isolated from the rest of the university and the internet. The university notified appropriate law enforcement entities, and the ISO began actively investigating the matter. An outside consultant with expertise in handling these types of situations was also engaged to support the investigation." The notice goes on to explain, "After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet."
The online notice, while extensive, did not identify the type of ransomware. Emsisoft threat analysis consultant Brett Callow told ZDNet that he believes the University of Utah had been targeted by the cyber-criminal gang NetWalker.
Netwalker is thought to have raked in around $29 million since March of 2020, targeting many USA-based Universities among other deep-pocketed targets. Different sources in the cyber-security community confirm that Netwalker (offered as an easy to use Ransomware-as-a-Service or RaaS) is a quality product, utilizing an extensive affiliate network of Russian-speaking operators and utilizing disgruntled employees who can exfiltrate data easily, as a big part of the Netwalker business model is the publication of stolen data. Most interesting is that the members of the affiliate network are banned from attacking any targets in Russia to prevent scrutiny by local law enforcement.
ThreatPost says that NetWalker (originally named "Mailto" based on an extension appended to filenames) has undergone several changes since March 2020, with their ransom request method requiring victims to contact them through email and then the Netwalker Tor interface, which then redirect the victims to a chat where they can pay the ransom.
ZDNet went on to quote Callow saying, "Paying ransoms to prevent data being published seems to make little sense. All what organizations are paying for in this scenario is a pinky promise from a bad faith actor that the stolen data will be destroyed. Whether the groups do ever destroy data is something only they know, but I suspect they do not. Why would they? They may be able to monetize the information at a later data or use it for spear phishing or identity theft."
The United States Federal Bureau of Investigations (FBI) released an alert on July 28, 2020, warning of increased Netwalker attacks on U.S. and foreign government organizations, healthcare, and education sectors. The FBI reminds readers that Netwalker has been "exploiting COVID-19 fears by luring in unsuspecting victims with pandemic related phishing emails." They warn victims to be especially careful, as Netwalker is known to have previously exposed stolen data.
Mr. Callow and the FBI agree, that paying the ransom is not to be encouraged. They urge enterprises to back up their critical data offline, do regular updates and use two-factor authentication, among other suggestions. There is simply no way to roll back the clock on an attack, and as with the University of Utah, even if backups are available, the risk is still very high that data will be released online. The only way to avoid this type of disaster is through the implementation of Cyber Incident Response (IR) services, like those provided by Sangfor Technologies.
Sangfor operates on the premise that taking precautions are always better than attempting to find a cure, and believes that protecting the organization from attack is not the responsibility of only the IT security team, but of everyone in the organization. Sangfor IR services are available in three different tiers, designed to provide the level of protection needed by each individual enterprise and for each individual budget.
Smaller enterprises can choose between the Essential or Standard IR Packages, which provide basic security incident assistance and reports or even further vulnerability assessment and remediation assistance before an attack occurs.
For larger enterprises, Sangfor provides their Premium IR Package designed to go beyond response to prevention. 4 times per year, Sangfor will perform an assessment of your organizations network security and vulnerabilities, providing vulnerability assessment reports and firewall ruleset policy review reports yearly. This service eliminates the need for full-time, highly-paid and underrepresented cyber security professionals and offers much needed proactive protection.
For more information on Sangfor IR Packages and how they can protect your organization from ever growing cyber threat, contact a local Sangfor representative today or visit our website at www.sangfor.com.
If you believe you’ve been attacked by ransomware, it’s not too late. Contact Sangfor today for immediate IR services.
Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about Sangfor’s Security solutions, and let Sangfor make your IT simpler, more secure and valuable.