IT World Canada ran an article the other day regarding the payment of ransom at the University of Calgary. The piece is almost an editorial as the writer beat the University up for paying the ransom.
Here is the story that the article laid out. In June the University was infected with a “significant malware incident”. Not clear what that means as the University is being pretty tight lipped about it. In any case, in an interview, Linda Dalgetty, VP of Finance at the University, said that the University chose to pay the ransom. She said that paying the ransom was instrumental in helping the school recover after the attack.
The writer beat up the school because they were encouraging criminals to release ransomware into the wild and the University should be held to a higher standard than commercial business. To be clear, they are encouraging the bad guys.
If I were going to beat the University up for something, it would be to ask how come their disaster recovery and business continuity plans weren’t up to handling this. How come their backups were insufficient to the task of dealing with this.
And, oh, yeah, they said their cyber insurance didn’t cover extortion. What, their insurance agent never heard of ransomware?
The University said that cost, in terms of lost staff time was the primary reason that they paid off the extortionists.
I am sure that somewhere in the U.S. or Canada, several times a day, the same decision is made. Whether to pay the extortion or not, unfortunately, is typically a business decision and very rarely, a moral decision.
What is unclear is whether, for example, if the writer who was NOT employed by the school, found out that he was not going to get a paycheck for a month or two because the University stuck to its guns and did not pay the ransom, he would still want the school to not pay. Sony didn’t have working financial systems for almost three months after their attack, so that scenario is not far fetched. If instead, it had to rebuild its financial systems, hire a number of temporary employees to rekey data into the system (assuming paper records even exist) and then check the integrity of the result.
Would he be okay if he was a researcher who lost 2 or 3 years of research as a result of this attack.
It is easy to second guess the decisions that management makes. In fact, it is pretty much a national pastime in most countries, but those decisions are hard.
This is, yet again, another call to make sure that your incident response, disaster recovery and business continuity plans are written down, approved, implemented and tested on a regular basis.
THAT is the best way to handle ransomware.
For some organizations, if they had that kind of attack, they would spin up new virtual instances of the affected systems, roll back the data to a few minutes before the attack and move on.
Unfortunately, those organizations are few and far between.
For many organizations, that attack is an “ah, shucks!” moment as they realize that the backups that they need don’t exist or were not working at the time of the attack.
Information for this post came from ITWorld Canada.