Their budget was probably limited due to the other issues. However, backups are cheap and some solutions are even free. I worked for a charity at one point with a ridiculous budget, but we never missed a backup.
Ransomware the final nail in coffin for small university
A December attack against a long-standing US college has pushed the institution to permanently close. After 157 years, Lincoln College, the rural Illinois university with an average of 1,100 students, is shutting its doors following years of rapid decline triggered by COVID-19 and compounded by the ransomware attack. The …
COMMENTS
-
-
Thursday 12th May 2022 15:18 GMT usbac
I'm sure "lack of budget" was the excuse for not having any backups. The real reason was most likely "I just can't be arsed to do it".
As the OP said, there are ways to do basic backups very cheaply is someone is interested in trying...
If they could afford to pay the ransom, they could have afforded decent backups. These days, $100K will buy a lot of backups! I back up critical data to Amazon Glacier, and my AWS bill is $0.30 per month!
-
Thursday 12th May 2022 16:05 GMT Version 1.0
Making Backups is a good safety procedure but when Malware invades an institution and gets everywhere then it's a hell of a lot of work to eliminate it and clean absolutely everything before you can start restoring the backed up data. If you are a University then you are a huge collection of different data environments so maybe the data is "safe" but it's going to be months before you can restore everything ... and that's months of being unable to be a University so I understand their response, I don't think they had a choice.
-
Friday 13th May 2022 14:17 GMT John Brown (no body)
"If you are a University then you are a huge collection of different data environments"
Or, in this case, a small college calling itself a university and a student count about the size of an average UK secondary school. Having worked with quite a number of UK secondary schools over the years, they all have backup systems in place of one sort or another.
-
Saturday 14th May 2022 06:14 GMT MachDiamond
"If you are a University then you are a huge collection of different data environments"
.... and should know that it's a really bad idea to tie all of those environments together in a way that one vulnerability takes the whole castle down. If the attack hit just the fund raising data system, it shouldn't be hard to purge and restore. Tedious and time consuming, of course, but achievable.
-
-
Friday 13th May 2022 08:45 GMT big_D
It isn't just a case of no backups, a lot of malware groups know about backups and they infiltrate the backup infrastructure as well corrupting/stopping the backups, while the systems still report that the backups worked.
Even if you are making daily backups, if you aren't regularly checking their validity, you can't be certain have a backup.
Also, how long were they in the system, before striking? Restore your systems, and they go down again, because it was in the backup somewhere.
The only safe way is to re-build from fresh media (preferably on fresh hardware, especially disks, but firmware on motherboards can also be compromised), configure and then restore critical data quickly, but not OS or application executables. Then run a thorough check of everything that has been rebuilt and restored, to ensure no known instances of malware are lurking, then bring the systems back online.
Then you can work through restoring the non-critical data in a slow and safe manner.
But, how far back must you go? Days? Weeks? Months? If they have been in your systems for months, restoring from yesterday's or last Friday's backups possibly isn't going to help much - depending on how the malware spreads and whether it slowly encrypts non-critical data, for example, before hitting current data and causing everything to go down. That is assuming your backups aren't compromised.
Without knowing the specifics, you can't just say, they couldn't be bothered with backups...
-
-
Thursday 12th May 2022 16:26 GMT rnturn
Re: Having backups
How far back does an organization have backups. The school could have been infected with the malware long ago and it was only recently activated. What if all your backups contain the malware?
(Full disclosure: I know a faculty member of the school who recently retired from teaching. Not sure as to his reasons and whether the discovery of the malware and the ransom played a part in his decision to leave but interesting timing on his part.)
-
Thursday 12th May 2022 17:21 GMT doublelayer
Re: Having backups
That is a risk, but there are methods to disinfect the backups before restoring them. It doesn't guarantee success, but it's still more likely to work than paying for decryption. This works better when the encrypter in use has been analyzed and can be detected on a filesystem.
-
-
Friday 13th May 2022 18:51 GMT doublelayer
Re: Having backups
True, but in order to have usable backups, you have to test them. You should also have cold backups that are kept offline. If you did either of these, the chances are good that you can use them with some work. If you did both of these, you probably have functional backups in that case. You can't encrypt a backup after it's been written to a tape and is sitting on a shelf, and if you encrypted it before it was written, a test will demonstrate this.
-
-
-
Thursday 12th May 2022 18:09 GMT usbac
Re: Having backups
When recovering from a malware infection, you NEVER restore any executable files. You reload from known good sources, and then restore the data from copies of your backups (after they have been scanned for malware). Your "original" backups should never be placed online for restoration.
Yes, I know that reloading everything takes time. But, if you have a proper disaster recovery plan, you have full documentation of all of your configurations as well as copies of all software that needs to be reloaded.
This university should have been able to restore at least their basic admin systems within a few days.
Paying the ransom only funds more cyber-crime, and needs to be stopped. As long as organizations can just pay the ransom, and go on about their business, this will never stop.
-
Thursday 12th May 2022 19:45 GMT Stuart Castle
Re: Having backups
Re: "Paying the ransom only funds more cyber-crime, and needs to be stopped. As long as organizations can just pay the ransom, and go on about their business, this will never stop."
I always wonder why people suddenly trust the people who've just broken in to your systems and encrypted part (or all) of them. Or those who created the software they used.
They care little enough about you, your situation and data that they are willing to break the law to stop you accessing it. They aren't suddenly going to worry about being less than honest when it comes to helping you afterward.
Still, when you are a system admin looking at having lost all your company's data and have no other way out, it's probably easy to hope they are being honest.
-
-
-
-
-
Thursday 12th May 2022 15:28 GMT Anonymous Coward
Re: Reading a bit further they didn't seem to get a lot of financial support
To keep a small institution like that going you've got to have a unique selling point - ultra selective intake for some specialty (music, medicine etc) or social group (that has either wealthy students or wealthy donors to keep it afloat). It looked to me that they suspected the writing was on the wall before the pandemic, the loss of students because of the pandemic was what finished them off, and the only effect of the ransomware was that they didn't get the business plan bad news sooner. Probably the only salvation would have been a merger with (takeover by) some other Uni, I guess there was no obliging party.
-
-
Thursday 12th May 2022 15:13 GMT Anonymous Coward
Universities seem to be common targets/victims of ransomware and probably for similar reasons. They are all generally early adopters of computers, but often form a poorly managed setup due to the "heading cats" problem of academics with organically grown 1001 unusual computer needs, and the usual problem of limited budgets for actual IT professionals to support it. With both staff and students having internal access it is very easy for malware to get in, and usually the Windows-basis for most stuff and poor network segmentation makes it pretty easy to get around one your phisherman had done their job.
Sad to see any institution go, but I guess this one must have been on its way down and out long before the attack.
-
Thursday 12th May 2022 17:39 GMT VoiceOfTruth
-> the Windows-basis for most stuff and poor network segmentation makes it pretty easy to get around one your phisherman had done their job.
I'm going to stick my oar in here. If you look at the history of some of these universities (not this one in particular), they used to have a lot of in-house experience and knowledge. Using Carnegie Mellon and Cyrus IMAP or Cambridge and Exim as a couple of examples, what did they do? They farmed it out to Microsoft. Whether the staff left or went on to other things is not the point. They basically threw that expertise away. They have become buyers-in of technology, not much different in many respects to home users. The knowledge in-house to say 'wait a minute, that is not a good idea' has gone. And it shows.
-
-
Thursday 12th May 2022 21:48 GMT doublelayer
A lot of universities that came early to computing knew a lot about administration because they couldn't buy in management of all the equipment. This is why most universities I know about have two essentially disconnected networks: the main one with all the university web apps, campus workstations, and student emails, and the one run by the computer science department, which does all the same things but only for those students and occasionally other important systems. For example, I've seen where the CS admins maintain the HPC systems, even though it's mostly the other sciences using it. There are a few exceptions where, when the universities needed administration, they expanded what they already had, but most appear to have taken a more basic approach.
-
-
-
-
-
-
Thursday 12th May 2022 17:29 GMT oiseau
Re: could I be hearing Queen singing?
... if you didn't have to have a truck load of cash to go to one ...
Actually, if college education and student loan corporations were not such solidly established businesses in the US.
Because ...
God Almighty forbid that college education were to become a right and/or or subsidised by the federal goverment.
ie: instead of dealing out tax cuts for billionaires and financial bail-outs from the FED for investment banks who gamble with other people's money and end up losing it all, only to end up giving out millions in premiums to the greedy assholes who caused the mayhem.
Just a thought.
O.
-
Friday 13th May 2022 07:31 GMT To Mars in Man Bras!
Re: could I be hearing Queen singing?
Come to the UK. Since Higher Education became a commodity here, you can get a government loan to go to university. And the admission standards are so low --to keep the punters coming-- that you can pretty much get in just by being able to spell your own name.
-
Monday 16th May 2022 13:01 GMT Cliffwilliams44
Re: could I be hearing Queen singing?
Its not about "keeping the poor people down"! The university system in America has become a massive gravy train for the Privileged Academia! Every time the government creates another grant or loan program the cost of education goes up! Add to that we've had 40 years of this "everyone needs to go to collage" nonsense in the US coupled with a deliberate decline in the quality of public education. A high school diploma is worthless in the US. We have eliminated all trade training in high schools. Causing this training to be moved to expensive secondary trade schools that 60% of them are crap scam schools.
The push to get every child into college has resulted in 30% of students dropping out and many of them with debt they have no degree to earn money to pay it back. This isn't some "evil rich corporation no paying their fair share" problem. It is a deliberate policy of the left that funnels money into one of their biggest constituencies and saddles vulnerable people with crushing debt.
-
-
-
-
-
Thursday 12th May 2022 22:15 GMT doublelayer
Re: Just saying
This page indicates no CVEs for Z/os. It doesn't indicate that Z/os doesn't have security issues. If it didn't, there would be little use for the portal IBM has for announcing them:
IBM Z offers a Security Portal that allows clients to stay informed about patch data, associated Common Vulnerability Scoring System (CVSS) ratings for new APARs and Security Notices to address highly publicized security concerns.
It's possible that IBM doesn't particularly want the publicity of announcing detected vulnerabilities. I cannot see anything important on this portal because I am not a registered customer.
In addition, a CVE is not needed for ransomware to work. I can log into an account to which I have access and run a program to encrypt stuff. The only vulnerability involved is whatever gave me access to that account, which could be in the user who gave out the credentials, the authentication mechanism that was easier to crack, or the administration process that made obtaining privileges simpler. So if your implication was that this couldn't happen if they used Z/os, you're wrong. It couldn't happen in exactly the way it did as the attackers probably weren't trying for it, but it would have been possible.
-
-
Thursday 12th May 2022 22:04 GMT Marty McFly
Deflecting blame
Ransomware makes a convenient scapegoat for the continual mismanagement of higher education. Tuition, room, board was running well over $27k/year at Lincoln. The college offered degrees like "Bachelor of Arts in Jazz Studies". Just what is a graduate going to do with that degree to pay back over $100k in college debt?
Modern colleges & universities have become a debt-fueled 4-year perpetual party to fill the gap between leaving home and needing to become responsible for oneself. And once that responsibility hits it is quickly followed by the realization that Jazz Studies wasn't such a good investment. Graduates can only move south to New Orleans and get job telling people that 'Grande' means 'Large' while moonlighting with a microphone at a bar a mile from Bourbon street.
That is where the college failed. Students got smart. They realized the debt + a Bravo Sierra degree got them nowhere.
(Full disclosure. I graduated some decades ago from a different upper-Midwest small college, and with a more traditional degree. I am sad to watch my alma mater making the same stupid mistakes, blind to the real world outside their campus.)
-
Wednesday 25th May 2022 08:06 GMT Grinning Bandicoot
Re: Deflecting blame
You've closely nailed it in describing it as fraud. Way back when digital meant abacus the loan for R&B plus training were called indentures but were not as onerous. Kid hears that a real talent exists in ceramics - "Go to school -- Get a degree". So the poor snook applies at a college financing the whole thing and in four years and some months has a BFA in one hand and the other a request to establish a repayment plan for the four years. Meanwhile back in the old neighbor his pal goes over to the Mason's Union gets an apprenticeship works his hinny off and at the four is a journeyman making 5 or six time what our BFA will be making for the next few years and without that stinking Albatross of debt about the neck.
A part that missed was about the conservative planner who saved and planned, tracked trends. In other words had a business plan plan for education. Goes to school and the school raises its fees (and finds a few new ones), texts costs are raised and otherwise manipulated because the most students on loans never see the bill like the planner. The planner who the sort needed is stuck with surrender (get a loan), quit (leave school and toil with the rest of us awhile looking back) or fight on while sinking.
Along come the POLITICOs. The same ones that created the loan programs who now nod in a sagacious manner and Vote for me and I fix this mess created by __________. It is not your fault (that you did listen to the words of repayment). Vote for me and I will pass legislation saying your degree must be recognized. BUT MOST IMPORTANTLY VOTE FOR ME
As I was declawing this I wondered what school T. A Edison or George Westinghouse attended?
-
-
Friday 13th May 2022 09:01 GMT quadibloc2
The Real Problem
The real problem is that it was possible for the ransomware to operate on the institution's computers.
It shouild not have been possible for any unauthorized programs to install themselves without seeking permission from the user.
Why isn't Windows secure? That is the question we should be asking.
The last time anyone lost data due to ransomware, a hundred years from now, should be a hundred years ago, so that it will be understandable people don't bother making backups for that reason. (They should still make backups for other reaons, like computers being destroyed in a fire or struck by lightning.)
-
Friday 13th May 2022 18:57 GMT doublelayer
Re: The Real Problem
You have two problems, both large.
"Why isn't Windows secure? That is the question we should be asking."
Why do you assume it's Windows? You can run programs on everything else as well. Those programs can read, write, and delete files which is all you need for ransomware.
"It shouild not have been possible for any unauthorized programs to install themselves without seeking permission from the user."
Why do you assume it did? Maybe it got permission from a user who didn't understand what it was. This is quite frequently the mode of initial infection. Alternatively, it could exploit a hole left by a user, such as an open SSH or RDP port with insecure authentication. Do you assume that every infection requires an OS vulnerability to succeed? That happens, certainly, but it's far from the majority.
-
Monday 16th May 2022 13:16 GMT Cliffwilliams44
Re: The Real Problem
The real problem is not Windows! It's the humans looking out the windows.
In many of these instances it is either that 1 person or persons as access to ALL the organizations data. It is most often someone who absolutely should not! Some executive level person who only has that access "because they be impotent!" Or it is that inter-computer security is lax or broken. Once after a merger it was discovered that the company we merges with had a Group Policy that made Domain Users administrators of EVERY computer. When I said "This must end" i got an argument that I didn't understand that there are applications that cannot work without Administrator rights. To which I called BS on that and even if you need it you make the USER administrator, NOT EVERYONE!
It's not just having backups. It a complete security posture. But if you don't secure your biggest risk, YOUR PEOPLE, then you have no security at all!
-
-
Friday 13th May 2022 09:31 GMT Pascal Monett
"Was the university doing all it could to secure its systems and users?"
Probably not.
I doubt that most Universities have the competent people on the payroll to effectively manage the complexities of such a specific environment. I have not had much dealings with Universities, but every time I have, it was always ad-hoc solutions implemented because they allowed things to work. Security ? The best case answer was "we're talking about reviewing things in the budget meetings, but for the moment, we don't have the money".
One down, plenty more to go.
-
Saturday 14th May 2022 06:23 GMT MachDiamond
I really love dead trees
I learned my lesson about backups ages ago. All my important data is backup in a few different ways and none of them via somebody else's system. For things like accounting, I print a session report each day when I close down the software. If I had to, and I did once, I could re-enter all of that data by hand from when my last back up was if I needed to. Important data also gets written to two separate internal drives which is a reason I like computers with room for that. Bugger the all-in-ones with space for one drive. It just means another box for more external drives and another few cables under the desk magnetizing my man parts.
Paper is a good backup for some things like accounting. Some of us old folks still see the value in paper checks.
-
Monday 16th May 2022 13:20 GMT Cliffwilliams44
Re: I really love dead trees
"Some of us old folks still see the value in paper checks."
All the information a criminal needs to steal all your money is on a paper check.
Routing number and account number! The most dangerous thing you can do is send a check through the mail or give one to someone you don't absolutely trust!
-