Ransomware Response plan

DADDAA & Dunlap Ransomware Response Plan

July 5, 2021

1.   Preamble

Ransomware has become rampant in recent years. Universities are impacted by ransomware attacks. In Ontario, Lakehead University, McMaster University, and George Brown College were all targeted. Briefly, ransomware is a type of malicious software that encrypts your computer or specific files until you pay the ransom and the bad guys unencrypt them.

Ransomware mainly attacks Windows environment. Though not as prevalent, Linux and Mac OS are not immune to the attack. The following are just some examples:

Linux:

RansomEXX (discovered in 2020)

REvil (targeting VM, discovered in 2021)

Mac OS:

FileCoder (discovered March 2014)

Oleg Pliss (discovered May 2014)

KeRanger (discovered March 2016)

Patcher (discovered February 2017)

Given the increasing thread, UofT CISO escalated the ransomware risk level from moderate to significant impact on June 28^th, 2021. As part of the action, this plan is developed to mitigate the risks for DADDAA & Dunlap community.

2.    Prevention

Prevention is the most important step to reduce the likelihood of ransomware attack and rescue the data when attack happens. The following measures should be considered:

• Computer accounts: users should use the standard account type rather than privileged account. That means that your day-to-day use account should not be administrator (Windows), root (Linux), non-first user account (on Mac, first account created has super user privilege).
• Computer patching: Whenever possible, make sure that your computer is configured with auto-updates. If your computer is not configured for auto-updates, make sure you do updates as soon as your computer prompts you to do so. Software should also be updated when a new release is available.
• Email: it is recommended that you migrate to UofT O365 central email system as it strips off certain attachments. If you receive an email with attachment, even from someone you know, you should first check with the sender to make sure that it is safe. Sometime, the From: header can be deceiving, therefore, close examination of the header is recommended. If you are not sure about a particular attachment, please consult Stipe or Hugh. If your incoming mail contains web links, please make sure that the links are legit. If you are asked to enable macros to see the contents of a Microsoft document, it should raise a red flag.
• Vigilant on what to install or click: If you receive an email attachment which requires installation, do not install. When browsing on web, do not click “yes” when it asks you to install. If you have to install apps, make sure that you only do so from official site.
• Backups: use ransomware resilient backups, for more information, please check this. For example, backup your important core data to an external hard drive and disconnect it after finishing; backup to entreprise OneDrive that university offers so that you can obtain early versions when needed; backup to cloud immutable site (for example, backblaze.com). If you need to purchase an external hard drive for secure backup, DADDAA and Dunlap will cover the cost. Also, multiple backup copies is also recommended.
• Antivirus software: modern and updated antivirus software provides a level of protection from ransomware attack. For example, Microsoft Defender for Windows, and free AVG AntiVirus for Mac. Some commercial antivirus software provides extra protection. For Linux, make sure that your system security is hardened. The University is investigating an institutional wide end point solution which should provide better protection when implemented.
• Login: Use MFA whenever possible. Use a strong password rather than easy to guess/crack password.

3.   Response to Attack

Unfortunately, there is no 100% proof measures against ransomware infection. When the attack happens, the response can contain are few components, including identification, containment, eradication and recovery.

The following are some of the specific steps:

• Identification: identify which devices and what kind of data are infected. Identify the virus strain, if possible, from the message or using identification tools. Take note of the time or other information related to the virus infection.
• Isolation: remove the device’s access to the internet and any other networks. DO NOT power off the device.
• Notification: notify the Chair or Director as well as the IT team. The IT response team will take over in terms of further reporting and provide specific instructions according their playbook. Depending the severity, University response team may be activated and external resources provided when in need. Please make sure that forensic evidence is intact. For virtual systems, take a snapshot of the system and notify the service provider as soon as possible.
• Eradication: With luck, one may find solution or even antivirus software to remove the malware. Otherwise, the user, leadership and IT team will determine if the University approved third-party firm should be engaged. Public notification may be required if it meets the legal requirement.
• Recovery: the safest and fastest route to recovery is to build a new system and then recover the data from clean backup. Before the redeployment, the new system should be fully patched and hardened. If the data is not recoverable, the user and leadership will arrive at the decision whether to pay the ransom or go without the lost data.