http://www.cbc.ca/news/canada/calgar...tack-1.3620979
http://www.cbc.ca/news/canada/calgar...tack-1.3646120
Nasty stuff, worked all weekend to scan servers and bring back VDI. Surprised U of C don't have backups.
http://www.cbc.ca/news/canada/calgar...tack-1.3620979
http://www.cbc.ca/news/canada/calgar...tack-1.3646120
Nasty stuff, worked all weekend to scan servers and bring back VDI. Surprised U of C don't have backups.
Do you know why they dont use backups - or were they affected as well?
This is old news, they have backups but considering the data they chose to pay the ransom anyways to make sure everything was decrypted
Sig nuked by mod.
The only scenario where this is true is that they consider paying $20K for the key is cheaper than a restore process. (Which could happen either a) union/staff overtime wages or b) outsource contract charges separately for restores.)Originally posted by adam c
They have backups but considering the data they chose to pay the ransom anyways to make sure everything was decrypted
I really wish to learn what really happened to UC in this incident. But I am betting on some users uses local PST that isn't backed up.
Last edited by Xtrema; 06-23-2016 at 01:49 PM.
I found an article somewhere else online that went into a bit more detail about it:
http://www.scientificamerican.com/ar...-universities/
Would bitlocker encryption help in either of these situations, I know that U of C do not have bitlocker encryption protection yet. Oh and at the U of C peoples networked drives are also online as public shares, or atleast some of them are, I think it used to be the case for all IT staff but now is restricted and you have to request it.
This quote is hidden because you are ignoring this member. Show Quote
Bitlocker will only safeguard against physical theft. Not randomware.Originally posted by nzwasp
Would bitlocker encryption help in either of these situations, I know that U of C do not have bitlocker encryption protection yet. Oh and at the U of C peoples networked drives are also online as public shares, or atleast some of them are, I think it used to be the case for all IT staff but now is restricted and you have to request it.
Say if AHS has patient data exported to a laptop, that laptop better have bitlocker on so data can't be retrieved unless someone can actually log into that laptop.
The ransomware encrypted the UofC's email datastores. For those of you who know nothing about exchange, you can't just encrypt the mail stores from a client machine unless they had directly mapped the mail stores (which is beyond idiotic).
What happened was the attackers either gained access directly to one of the mailbox servers or some idiot IT guy initiated the ransomware encryption on the mail server directly.
Newer versions of exchange use database availability groups that spread the "load" of mail data across multiple servers and the system is designed that if one of the databases dies then mail can be restored from other databases.
Either they aren't up-to-date or their IT department is a bunch of retards.
Also, the ransomware will encrypt all mapped drives that the end user has write permissions on. Make sure your organization has granular folder level permissions.
Last edited by SmAcKpOo; 06-23-2016 at 04:08 PM.
MY IT contact there said they were right in the middle of a migration to office 365, backups hadn't been set up yet on the new system. It couldn't have happened at a worse time. 9000 accounts had to be rebuilt, IT staff was sleeping on cots in hallways as they were working 24 hrs.
Already seen it. Nasty shit. I can understand general user felt for it but IT guy and Exchange admin to boot?Originally posted by SmAcKpOo
Also, the ransomware will encrypt all mapped drives that the end user has write permissions on. Make sure your organization has granular folder level permissions.
So this hit new servers (I assume Exchange 2013 Hybrid with Office 365)?Originally posted by Swank
MY IT contact there said they were right in the middle of a migration to office 365, backups hadn't been set up yet on the new system. It couldn't have happened at a worse time. 9000 accounts had to be rebuilt, IT staff was sleeping on cots in hallways as they were working 24 hrs.
It's my understanding that it hit both new and old server, Lync also got slaughtered. I'm not very familiar with Lync, I assume it ties in tightly with exchange, which would explain it going down with the ship.
with all the brains they have at that place could they of not of prevented it? or simply they just didnt care?
Like I said man, bad IT.
I've never seen a more nastier infection than Cryptolocker. I mean, with even the worst infection before such, you could resort to slaving the drive, and getting the data.
Infected customers inevitably ask me 2 questions when they get infected:
1) How did I get infected if I have an antivirus?
Short non-polite answer is, "Because antivirus programs are basically snake oil". These antivirus programs simply can't cope with the amount of new variants being produced on a daily basis.
2) Why isn't this being stopped?
Short non-polite (but kind of) answer is, "The internet is global, and we have no jurisdiction in China, Russia, and India".
NA ( the West) is going down, just like every empire does.
With that said, in certain regard to Crypto, there is a trail leading back to the perpetrators. Problem is, there is no desire to pursue such.
Wow, could the timing be any worse???Originally posted by Swank
MY IT contact there said they were right in the middle of a migration to office 365
Lol, I don't think you understand the nature of University level IT.Originally posted by thetransporter
with all the brains they have at that place could they of not of prevented it? or simply they just didnt care?
Most staff were students who worked from help desk level up into the higher positions. Many of them have no IT experience outside of what they know - there is a deep ingrained logic of "we have never done this any different so why do we need to change" mentality.
Contractors are usually used to bring in those outside experiences but rarely have the opportunity to seriously change things unless their recommendations are followed. This is not specific to the u of c, it exists in alot of tertiary institutions I have worked at.
I've worked at the U of C IT department. You have some talented people working there, but it's not completely ridiculous for U of C to be caught in the middle of ransom ware.Originally posted by nzwasp
Lol, I don't think you understand the nature of University level IT.
Most staff were students who worked from help desk level up into the higher positions. Many of them have no IT experience outside of what they know - there is a deep ingrained logic of "we have never done this any different so why do we need to change" mentality.
Contractors are usually used to bring in those outside experiences but rarely have the opportunity to seriously change things unless their recommendations are followed. This is not specific to the u of c, it exists in alot of tertiary institutions I have worked at.
I worked there as well. There are some very smart people - and even the people that have worked their whole lives there are very smart but still...Originally posted by dandia89
I've worked at the U of C IT department. You have some talented people working there, but it's not completely ridiculous for U of C to be caught in the middle of ransom ware.
Ransomware can happen anywhere, I think its more an education issue for end users at the end of the day.
Originally posted by nzwasp
I worked there as well. There are some very smart people - and even the people that have worked their whole lives there are very smart but still...
Ransomware can happen anywhere, I think its more an education issue for end users at the end of the day.That's basically what it's ALL about.I think its more an education issue for end users at the end of the day.
But good luck with getting an IT department to prevent "I need my Pogo games" and clicking on everything in sight.
If you're migrating mailboxes without a backup you're doing it wrong. And if those mailboxes contain people's "life's work" then you're really doing it wrong.
Thank god it was just cryptolocker. God forbid a non-recoverable disaster occurred.
If you run or work in an IT department like that, get your shit together. That's sloppy on a whole different level.