back to article Another Canadian uni hit by ransomware, students told to keep Windows PCs away

Carleton University in Ontario, Canada, has confirmed it has been hit by a ransomware infection that crippled some of the Windows machines on its main campus. Systems at the university started to go down on Tuesday, and its IT department reported that email, network drives and the central university student portal had all …

  1. GrapeBunch

    Carleton University. I visited in 1984, so this must be my fault. It had what you'd expect for a University in the cold cold Capital of Canada: (underground) tunnels connecting the buildings and strong departments of Journalism and Political Science.

  2. a_yank_lurker Silver badge

    Silver Lining?

    The last two highly publicized ransomware attacks appeared to have failed because the victims had robust backup programs. Two organizations (non IT) who seem to have a competent staff reported the worse they faced was some aggravation but no major harm.

  3. Anonymous Coward
    Anonymous Coward

    Mitigation

    Good that they can recover from backups, but better if you can prevent scumware from afflicting you in the first place.

    We were hit once. No real damage but we had to re-image one PC and pull back a few files from shadow copies. About 30 minutes to recover. However, this was annoying enough to push us to look at ways to mitigate attacks. Analysis showed that the user had opened a link in an email that had bypassed our web and AV filters. To counter this we changed the firewall to only allow downloads from websites that have been categorised by the firewall vendor.

    Next layer of defence was to implement applocker policies to prevent unknown executables from running from suspicious locations such as user profiles.

    Finally, we implemented FSRM to look for known crypto malware files being written to file servers. If they are detected, alerts are generated and share permissions are set to read only. Since implementing this and trying to keep our file screen up to date with new variants, I have since found this site that keeps a comprehensive list of files to add to your file screen. https://fsrm.experiant.ca/

    If all else fails, we have shadow copies, offisite delayed replicas and 2 independant backup solutions to tape and disk.

    Of course there are never any guarantees, but since doing this we have had no further incidents.

    1. frank ly Silver badge

      Re: Mitigation

      "... opened a link in an email that had bypassed our web and AV filters."

      Did the attackers get lucky, were they very clever or did that imply knowledge of your web and AV filters?

      1. Anonymous Coward
        Anonymous Coward

        Re: Mitigation

        They got lucky. It was a phish email with a link to the malware payload. As there was no attachment the AV didn't pick it up and it got through the antispam filter.

        It was a convincing looking fake Aus Post mail that went to a user in the goods receiveable department.

        1. bombastic bob Silver badge
          Megaphone

          Re: Mitigation

          "went to a user in the goods receiveable department."

          even RSA got 'hacked' in a similar way, when an attachment with a payload was apparently opened [in 'virus outbreak' aka MS Outlook] by a low-level accountant that was "on the network".

          general e-mail rules to avoid this:

          a) *NEVER* preview in HTML

          b) *NEVER* even VIEW in HTML

          c) *NEVER* allow 'inline whatever' to be previewed (or even VIEWED) in an e-mail

          d) *NEVER* click on a link in an e-mail. *NEVER*. [I've received fake 'unsubscribe this' links in legit-looking bulk mail that appears as if I were maliciously subscribed against my will, most recently to 'wired', which I forwarded to their abuse department instead - had I clicked, who knows what would've happened!]

          HTML mail is *EVIL* and should be avoided. Doesn't matter how many cat-pic chain mails get forwarded that way. If you must see it, save the attachments, scan them, THEN view them.

          This level of security requires strict I.T. policies *AND* compliance. However, if you can actually *GET* users to comply, it will save your ass at some point.

    2. Walter Bishop Silver badge
      Linux

      Re: Mitigation

      What's it cost in staff overtime to impliment all these attack mitigations?

      ubuntu.com

      1. Anonymous Coward
        Anonymous Coward

        Re: Mitigation

        Eh? Doesn't need overtime. Just needs some GPOs for the applocker and installing and configuring the FSRM role on the file servers. Thats the joy of AD, you can centrally manage almost anything with policies.

        By linking to Ubuntu I assume that you are implying that we should rip out all our Microsoft infrastructure and replace it with Linux? Not really practical when we have multiple SQL servers, an Exchange infrastructure, numerous application servers and a farm of Citrix RDS hosts running a large number of applications with no non-Windows alternative.

        Assuming I could find Linux based replacements for everything we run, I think that the amount of overtime required to replace everything would be a tad more than was required to put in the mentioned mitigations.

        Personally, I am completely OS agnostic. I had used numerous flavours of xnix going back to SCO unixware. I do run some Linux servers. I just use whichever OS is suitable for the job.

        I do despair when we constantly get people who run the odd Linux box or two think that you can rip out a mature enterprise infrastructure and replace it with Linux. These are tools to do a job, not a religion.

        You are a very silly man. Go away.

        1. Walter Bishop Silver badge
          Facepalm

          Re: Mitigation

          "I do despair when we constantly get people who run the odd Linux box or two think that you can rip out a mature enterprise infrastructure and replace it with Linux."

          It's understandable why you would want to remain anonymous.

          1. Anonymous Coward
            Anonymous Coward

            Re: Mitigation

            No great mystery as to why I post anon.

            My employment contract has a clause which stipulates I must not post anything damaging to the company or clients on social media or any other website.

            I don't think I ever post anything negative, but to avoid any issues I just choose to always post anonymously when mentioning anything to do with work.

            What is your excuse for being an idiot?

            1. Walter Bishop Silver badge
              Linux

              Re: Mitigation

              "What is your excuse for being an idiot?

              I'm not an idiot, I'm posting under the same name so as people can judge my postings by the president.

  4. Barry Rueger Silver badge

    Cartoon U

    Ahem. Cartoon U is not really in the same league as say Oxford or Harvard. I am not remotely surprised.

    FWIW, we once bought a group of PCs from their computer services department when I worked there.

    One by one they all died, first with smoke, then with showers of sparks like roman candles out of the back of the power supplies.

    Stuck with Dell after that.

    1. danR2

      Re: Cartoon U

      Honestly, there are very few universities in Harvard or Oxford's league, certainly not Canadian ones. Carleton is third tier (200-500 rank, depending on source); expect a good education, but not any IT whizbangery.

  5. Destroy All Monsters Silver badge
    Headmaster

    Don't give me the US-centric pap of "encouraging"

    Such a craven display may have encouraged today's attack.

    More likely a spray-and-play attack and someone clicking on something.

    No encouragement needed, just Windows.

    1. Seajay#

      Re: Don't give me the US-centric pap of "encouraging"

      Maybe it didn't encourage a targeted attack on other Canadian universities but it certainly encourages more malware writing in general.

      I'm not sure how that's US centric?

  6. Anonymous Coward
    FAIL

    Windows FAIL

    That's what universities get for running Windows networks for the most dangerous most seediest users of all, students.

    Morans.

    Then again, Linux these days... better go back to pen & paper. PCs should not be a requirement for courses where they're not strictly necessary, and where they are, you can generally get a better education from Youtube.

    1. Stevie Silver badge

      Re: you can generally get a better education from Youtube.

      If you are willing to spend three times the time necessary and can listen to the stupid music, incessant "um, ah, um" instead of lucid recitation, and ad-hoc backtracking to cover forgotten precursor information or alternative approaches without hitting first CTRL-C and then the bottle.

      And that's before we get into the camera technique that has hands, heads and bodies blocking whatever it is the blithering drooler on screen is exhorting us to watch closely.

      I never saw an "educational" YouTube video that couldn't be improved by deleting it. GIMP and Blender bring out the cream of the crop of dithering blither, but don't take my word for it. Grab some strong drink and go on a voyage of discovery.

      The best YouTube footage comes from Russian dashcams. At least there the inevitable wreckage flying all over the place belongs to someone else.

  7. Anonymous Coward
    Anonymous Coward

    Backup to the Cloud

    "Our entire organization is backed-up to the Cloud!"

    *wanders by IT desk, notices an old Gateway labelled "The Cloud"*

    "Surely there's nothing of concern here."

  8. Spaceman Spiff

    Just say no!

    This is one of the many reasons why I refuse to use Windows systems, as does my wife. We are both computer professionals. She is an iGear user. I am a Linux/Android user. No Windows gear in our house!

    1. Anonymous Coward
      Anonymous Coward

      Re: Just say no!

      Good for you. Give yoursalf a big pat on the back and a gold star.

      However, nobody is talking about your house. The article is referring to a large network of machines, which are probably required to run software that is only available on Windows.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019