In 2016, the University of Calgary paid $20,000 to ransomware hackers and Ryerson suffered two ransomware attacks. Ryerson didn’t have to pay the hackers any money, but the school may not be as lucky in the future.
Brian Lesser, Ryerson’s chief information officer (CIO), submitted a report at the Jan. 31 Board of Governors (BoG) meeting suggesting that Ryerson needs to increase its cybersecurity budget to improve protection from increasingly malicious hackers and malware — the term used to describe hacking software.
Lesser said, “Cyber threats are escalating regularly. It’s not like all of a sudden on May 29, when Calgary got hit, ransomware was invented and now we’re all very afraid. It’s been a gradual evolution. But it’s getting worse and worse, and as a result we’re working harder on it. That they (the University of Calgary) actually had to pay the ransom was a surprise. In retrospect I understand why, but it’s gradually changing.”
In 2016, Ryerson suffered two separate ransomware attacks. Both involved administrators clicking on attachments in phishing emails. “It happened twice, and their computers were encrypted so those machines were hacked,” said Lesser. He explained that when a ransomware virus is opened, it encrypts (or locks) the computer so the user can’t access any files. Either the user has to submit to the hacker and give them what they want (generally money or information), or figure out how to unlock the virus — otherwise known as decryption.
In the first ransomware case, “it was a prof who was waiting for a delivery and opened a FedEx attachment. Fortunately, the kind of encryption used in that case, there was a known hack for it. So we were able to take files before and after it happened and we were able to generate the key from that and decrypt it. So we got all his stuff back.”
The second attack wasn’t devastating either, Lesser continued. “It was somebody working in an admin department and they had 99 per cent of their stuff on a shared drive where it’s backed up. So they really weren’t at that much risk for ransomware, apart from the hassle that follows.” Though he is unsure if all files in both attacks have been fully recovered months later, Lesser is thankful that the two individuals who suffered the attacks didn’t give the hackers access to sensitive files.
Lesser said there are some nightmare scenarios where the end result would be much more serious. “The worst-case scenario there is they get almost complete access to everything and just suck the information out and you discover it two years later. Another one would be the ransomware attack scenario, where you get thousands of machines potentially that are useless, and you lose some data that’s not backed up and you spend weeks recovering and re-imaging the machines.”
Jaclyn Tansil/Ryersonian Staff
In his BoG report, Lesser said that in a six-day period, there are 1,032,608 attempts on average to guess the passwords of Ryerson accounts. He said 94 per cent of those attempts are coming from outside Canada. “Now you know 94 per cent of our users are not outside Canada. And the passwords were being guessed at a rate no human being could type.” Ryerson’s firewall blocks about two-thirds of the guesses. “But ultimately if someone gets lucky and guesses right, they get access to your account.”
Over one million password attempts may seem like a lot. But before Ryerson strengthened its firewall in 2014, there were over 3.6 million password attempts on average over a six-day period, according to Lesser’s report. As well, in 2014, there were over 1,000 hijacked Ryerson accounts. Once the stronger firewall was put in place, in 2016, that figure dropped to 345.
“Every hijacked account, there’s hundreds in a year, those are hacks. Somebody has gotten access to someone’s account,” explained Lesser. “It used to be if I could take over an account and send some free spam, I was doing well. Now, a cyber-criminal goes, ‘if I can send out some spam and make money that’s great, but if I can also harvest what’s in your inbox and steal some stuff from you that’s even better.’”
For instance, if you have credit card and banking information in your inbox, hackers can use it; and it only gets more serious from there. “On top of that, ‘if I can install ransomware and extort money from you then that’s great,’ and it just goes on and on. So the software that they have is getting more capable in terms of these multi-dimensional attacks they can launch to make money.”
So what is Ryerson doing to prevent hacking and malware attacks from getting even more serious? Lesser said a two-factor authentication option was added to my.ryerson accounts that he highly recommends students enable. When you turn it on, it requests a code to access your account on a secondary page, once the correct username and password are entered.
To protect yourself from hacking, “two-factor authentication is probably the single biggest thing you can do, other than making sure your anti-virus software is working,” said Lesser. “If you go to the [Computing and Communications Services] site, you’ll see an IT security [option] and absolutely turn on two-factor authentication. Just take your time, make sure you get it right.”
In addition, he recommended avoiding peer-to-peer file sharing (like downloading torrented movies), and to ignore links from unrecognized email addresses. “Sometimes you’ll get a FedEx invoice in your inbox. Rather than click on it just go to FedEx.com and see if there’s something legit you have to respond to.”
Ryerson president Mohamed Lachemi said, “I can guarantee that cybersecurity is an ongoing priority for us. We have to look at it in a holistic approach. Yeah you have to make sure that there are resources available but then you would also have to make sure that you also have systems in place, like communication outreach. It is important for us to explain to minimize the effect and educate people.”
Lesser agreed that the leaders of Ryerson have supported his team’s efforts, but said the budget for cybersecurity should be increased as the potential for hacking and devastating malware attacks increases. He said, “Be afraid. Be very afraid.”