This post has been updated from a previous version to include comment from Brian Lesser, chief information officer at Ryerson.
By Sylvia Lorico
Students were informed on Monday by Ryerson’s Computing and Communication Services (CCS) about a ransomware attack last month on a university computer.
On April 5, a Ryerson employee was sent an email claiming it contained a failed delivery notice from FedEx and included a link to an attachment. After the employee downloaded it, ransomware was installed on the employee’s computer.
Ransomware is a harmful type of software that is downloaded onto a device. Once it’s downloaded, the software encrypts files on a device, preventing a user from accessing them unless a ransom is made.
Brian Lesser, chief information officer at Ryerson, said ransomware infections are dangerous because they can also extract usernames, passwords and install more malware on the device.
“There’s no guaranteed if you pay the ransom that you’re getting your files back,” he said, “There’s also no guarantee that malware still isn’t on your machine.”
CCS investigating the incident
According to Lesser, investigations into the attack were launched immediately following detection. However, Lesser said the investigation took a month because there were two computers in the same office and both appeared to be infected.
“If it’s on two machines in the same office on the same day, that’s red flag alarm time,” he said, “You want to go running and figure out, ‘Do we have a larger exposure than just one problem?'”
It was determined that only one computer was infected and the two users of the computers were looking at the same shared files that had been infected.
Lesser said the warning email was sent after the month-long investigation because the case was an isolated incident and CCS wanted to be thorough before sending out a warning.
“We didn’t see any evidence this was spreading, we didn’t see any evidence that this was an ongoing campaign. So, in that case, when we’re not seeing that this is an urgent case, we can take our time and make sure we get the story right,” he said.
“If it’s just one infection on one machine should we really be telling the whole world about it, like to 40,000 students?”
CCS, who reported that the ransom was not paid and files on the employee’s computer were recovered, advised students to be cautious of links and to ensure files are backed up regularly on an external drive. They also advised to keep antivirus software up-to-date and to make sure the antivirus software scans all email attachments.
Ryerson staff hacked in previous incidents
This is not the first case of ransomware infecting a computer at Ryerson. The Eyeopener previously reported two separate incidents occurring in 2016.
The first incident occurred last July. A professor was waiting for a shipment and received a fake FedEx email with a ransomware attachment.
In both previous cases, the computers were decrypted and no ransom was paid.
Lesser emphasized the importance of training to spot suspicious emails. In the April 5 case, he said the employee was not trained in how to spot ransomware or other malicious emails.
But suspicious emails are difficult to spot. Emails designed to deceive users contain very subtle differences and are almost identical to an authentic email.
When Lesser read the phoney email, he said it was “what you would expect to get from FedEx.”
“It had no grammatical errors, they took the time to target an individual and it all looked legitimate,” he said.
He also attributed the problem to the behaviour of users online.
“People are not always skeptical of what they’re reading,” he said, “Sometimes people just go, ‘Oh OK, click, click, click.’ They’re not really thinking and they’re in automatic mode and software encourages that.”
University of Calgary paid ransom for encrypted systems
Last July, the University of Calgary paid $20,000 following a ransomware attack on their computers. The attack came the night before the Congress of the Humanities and Social Sciences at the university.
The April 5 ransomware attack came a month prior to Congress 2017 at Ryerson which begins in late May.
Lesser said he didn’t think the attack had any connection to this year’s Congress. He said that hackers will strategically choose when to encrypt files if ransomware is installed on computers and that the incident in Calgary was likely a result of this thinking.
“They’re thinking is, ‘When am I going to throw the switch? Well if this conference is just starting this might be the best time,'” he said.
He said that ransomware and other malicious attacks are constant, so it is unlikely that the goal of this incident was to encrypt files during the event at Ryerson.
But Lesser said there can be high and low points in attacks. Attackers will often re-write attack kits and then use those kits to attack multiple institutions, including universities.
When asked if CCS would pay a ransom if they were unable to decrypt a computer, Lesser said he could not promise it would never happen, but said Ryerson would work “very hard not to.”
“The last thing we want to do is encourage people to make money with ransomware,” he said.
What Ryerson is doing to improve online security
There are plans to increase training and online security at Ryerson. Lesser said in the Fall there would be plans to expand current training on phishing emails. It was reported by The Eyeopener that fake phishing emails were sent in October and November to about 1,600 employees. If employees fell for the emails, they were directed to a page on how to detect phishing.
The plan is to expand the campaign to all employees as well as students.
“That’s probably the most effective strategy,” Lesser said, “People actually get it. They get to see people who we can trick.”
CCS has also scheduled cyber security awareness training for employees at this month’s university IT conference. They also will upgrade their antivirus systems on all Ryerson computers.
“With security, attack is easy, defence is hard,” he said, “We are continuing to upgrade the game.”