Officials at the University of Calgary admitted this week that the school recently paid $20,000 CDN to rid its systems of ransomware that hampered productivity for 10 days.
Linda Dalgetty, the school’s VP of Finance and Services, acknowledged via press release on Wednesday that the school paid the ransom, which translates to roughly $15,756 USD, to maintain “all options to address system issues.”
According to the Canadian Broadcasting Corporation, at a press conference on Tuesday she told a crowd the school paid the ransom “because we do world-class research here … and we did not want to be in a position that we had exhausted the option to get people’s potential life work back in the future if they came today and said, ‘I’m encrypted, I can’t get my files.’ We did that solely so we could protect the quality and the nature of the information we generate at the university.”
Dalgetty said that while it did pay the attackers, the school is still in the process of assessing and evaluating decryption keys.
“The actual process of decryption is time-consuming and must be performed with care,” Dalgetty wrote, “It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data.”
It’s unclear exactly what type of ransomware hit the school – it only claimed it was “software intended to damage or disable computers and computer systems.” Regardless, it managed to take some parts of the school’s network offline for 10 straight days. According to Dalgetty, it wasn’t until this past Monday that the University of Calgary’s IT department was first able to “isolate the effects of the attack” and secure access for students and faculty to the university’s email service.
The University of Calgary continues to experience system issues. Download UC emergency app for updates. https://t.co/AcEjZTU6Eo
— U Calgary (@UCalgary) May 30, 2016
There was a point last week where students and staff were encouraged to call or text recipients as only a select number of individuals had access to email.
The school, which counts approximately 20,000 undergraduate students and 5,000 graduate students, said it’s working alongside law enforcement to investigate the attack, as is the protocol in cases like this. Dalgetty said that since it’s an ongoing investigation, the school can’t divulge how it plans to address the attack, nor “how or if decryption keys will be used.”
“A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time,” Dalgetty wrote.
The school began experiencing what it called system issues on May 28 and warned students not to use any U. Calgary-issued computers and not to connect classroom computers to the U. Calgary network. The school admitted the next day that malware was the cause of the issue and again stressed not to use any university-issued machines.
According to the CBC, there had previously been a minor data breach at the school but this attack was different because it encrypted the university’s email server.
— U Calgary (@UCalgary) May 30, 2016
Paying the ransom that attackers demand in situations like this is largely discouraged by experts, because it’s not guaranteed victims will receive all of their personal information back, nor is it certain victims won’t be attacked again.
The news comes a few weeks after the FBI issued a warning to businesses, urging them not to pay attackers. Instead companies and organizations alike should back up their data and ensure browsers, operating systems, and third party apps are kept up to date, the agency stressed.
“Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” FBI Cyber Division Assistant Director James Trainor said at the time, “And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Ransomware has been a scourge for companies, but especially hospitals, so far this year. Methodist Hospital, a care facility in Henderson, Ky. was knocked offline for four days in March while Hollywood Presbyterian Medical Center, a hospital in Hollywood, Calif. was crippled in February after attackers demanded a staggering $3M to unlock their records.