Update on Computer Security Alert: Ransomware Attack

05/14/17

We are providing this update regarding the Ransomware Attack that has been in the news and impacting computers around the world. 

As of Sunday evening we know of no computers at Ithaca College impacted by this attack, but that could change as people return to work on Monday.

If you have questions or concerns, please contact the DIIS Service Desk: 607-274-1000. 

Also, given the media attention to this, there may be a wave of fake email messages that may come out over the next few days asking you to do certain things to “protect yourself”.  If you have any doubt about the authenticity of a message please contact our service desk.

WHAT THE MALWARE DOES:

• The malware spreads over the network – if you are on a computer that is vulnerable (see below), the user does NOT have to click on a file or attachment to become infected. It spreads over the network.
• When a computer becomes infected, the malware starts encrypting files on the computer, and files in any other location that the computer has access to (such as Mentor, a USB drive in the machine, DropBox, OneDrive, etc.). 
• It then displays a message with instructions for sending in payment of $300 to get the key to unencrypt the files. 

WHAT MACHINES ARE VULNERABLE:

• It impacts ONLY unpatched Windows-based computers running Windows XP, 7, 8, and 8.1, as well as Windows Server 2003, 2008, and 2012. 
  • Windows 10 does not have the vulnerability.
  • Computers running other operating systems such as Macintosh (MacOS) or Linux are not vulnerable. 
  • iOS devices (iPads, iPhones) and Android devices are not vulnerable.
• The college's key business systems: Homer, Parnassus, Sakai, WWW, and Advance do NOT run on Windows, and therefore are not vulnerable to this attack.
  • However, some files (such as data files or reports) that these systems use are created on Windows computers, and therefore those individual files could become encrypted, but the core systems themselves should not be vulnerable.
• Mentor is a windows-based system, but it was tested and does not appear vulnerable, although we will be taking additional steps to further protect it.
  • However, if a user’s machine is infected and the machine is logged into Mentor, any files that the user has permission for could become encrypted. 
• We are reviewing other Windows-based systems such as JudicalAction to assess their vulnerability.

WHAT PROTECTIONS ARE AVAILABLE:

• Microsoft provided a patch in March 2017 that fixed the vulnerability for Windows 7 (the primary Windows operating system used on campus) and Windows 8, as well as the Windows Servers that had the vulnerability. 
• As part of our regular updates we pushed that update out to college owned computers shortly after it was made available from Microsoft in March. 
  • HOWEVER – the computer must be rebooted for the update to complete.  If someone did not reboot or turn off their computer since the update was pushed out in March, the patch may not have been applied, and therefore the machine is still vulnerable.  They must be restarted asap.
• Our servers are backed up on a regular basis.  Copies for key systems are stored off campus (and off the network). 
• Mentor and Praxis provide a “roll-back” feature – should files on either of those file servers become encrypted we would be able to roll-back to an unencrypted version.  There may still be some data loss, since the roll-back feature takes a snapshot every 6 hours.

OTHER STEPS WE ARE TAKING:

• On Friday we sent out an Intercom Alert to the campus community about the situation and stressing the importance of rebooting their computer.
• Microsoft has made available via their Windows Defender/SCEP antivirus software additional protections that went out on Friday.
• We are reviewing all of our Windows servers to ensure they are patched.
• All DIIS employees are being sent instructions for how to respond to reports of an infected machine.
• We are making additional backup copies of our key systems, and storing them in multiple locations.
• We are in touch with colleagues at other institutions and with our various solution partners to monitor the situation and are prepared to take additional action as needed.

ADDITIONAL INFORMATION:

• https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
• While we are not immune to being impacted by this outbreak, the progress that we’ve made to-date on updating our infrastructure puts us in a better position to respond to this type of situation than we would have been a year ago.  There is still much work to do, both technically and by policy, to further address vulnerabilities in our defenses.  One area that we need to address is ensuring that machines are rebooted on a regular basis. 
• We will provide additional updates as warranted.
• If you have questions or concerns, please contact the DIIS Service Desk: 607-274-1000.

Jason Youngers, our Information Security Officer, has provided this additional background:

Wanna Crypt Ransomware Attack Update

As is being reported in the media, about 200,000 computers around the world have been hit by a ransomware attack over the past three days. The majority of them were infected quickly on Friday afternoon. Russia and Europe were badly hit. DIIS has not been made aware of any IC computers becoming infected so far, but due to the timing of the attack users may not be aware of it themselves until Monday morning.

What makes this attack unusual is that no user action is required to get infected---it’s an over-the-network “worm” attack. Once a computer is infected, it reaches out to infect other computers on the same network. Successful large-scale attacks of this type have been relatively rare recently, but this attack takes advantage of a vulnerability in the built in file-share software on certain versions of Windows. Not to be confused with peer-to-peer file-sharing software, like Napster, the vulnerability here is in the built-in Windows software that allows access to file-servers like Mentor.

The attack fell off late Friday afternoon because a malware researcher accidentally triggered a counter-intelligence kill-switch that was hard-coded into the malware. There are currently rumors of a second version of the malware that has no kill switch, so we may see a second wave of infections. We may also see other kinds of attacks besides malware taking advantage of this vulnerability.

0 Comments

https://www.ithaca.edu/intercom/article.php/20170514212432430