UW campuses dodge cyber ransom threat

Although cyber threats are nothing new to UW-System tech security, CryptoLocker, a unique strain of virus, had experts scrambling in mid-October.

Learning and Technology Services sent an email Oct. 23 urging caution to UW-Eau Claire students, after the virus was found on five UW campuses.

UW-Madison, -Whitewater, -Stevens Point, -Milwaukee and -Superior were affected by a version of the CryptoLocker virus in a time span of two weeks.

Chip Eckardt, Eau Claire’s security information officer, said while past viruses targeted stores of information or planted frustrating obstacles, hackers are now motivated by more than mischeif.

“The trouble with this stuff is now people can make money off it,” Eckardt said. “If I release a virus that hits half a million machines and one out of every 500 pay the ransom, I make a lot of money.”

CryptoLocker, or ransomware, uses a unique encryption key for each file it infects, then demands money to release the lock.

When most viruses infect campus computers, information security staff can bully or trick the virus into giving up the encryption key. But CryptoLocker is different; its keys are more advanced than other threats, Eckardt said.

And CryptoLocker can also be repurposed to dodge virus scanners, he said.

“It used to be, they had the same virus out everywhere, and the anti-virus companies could just look for the name and just remove it,” Eckardt said. “But this one, people are modifying it like crazy.”

UW-Madison Department of Information Security supervisor Stefan Wahe said CryptoLocker piggybacked a spearphishing threat targeted at Madison faculty and staff.

Spearphishing viruses try to trick people into giving up personal information like passwords, bank account numbers and addresses.

The spearphising virus looked like a standard email. It asked staff to fill out personal information for using a state-owned vehicle.

The grammar was correct, the font and feel of the email looked legit, Wahe said. Dozens of staff members clicked the email triggering ransomware threats across campus.

The virus began attaching itself to files on Madison computers. Faculty and students noticed their computers were running slow.

Campus tech security was able to recover backups of infected files. But all in all, about three or four dozen students or faculty members were infected and and were asked to pay the $300 ransom.

“What made it unique was the tie-in to phishing,” Whey said. “It came through as a ZIP file. Usually the virus would have been caught.”

Whey said although state employers aren’t legally allowed to pay ransoms, he wouldn’t recommend anyone else pay either. Because the Madison threat was tied to a phishing virus, there’s no guarantee personal info wouldn’t continue to be used if the person payed up.

UW-Superior Infrastructure Services Director Tom Janicki said he’s talked to people off campus who have paid cryptolocker ransoms. Sometimes they get their files back, but sometimes their bank account empties and files stay frozen.

Whey and Janicki both said campus tech staff updated anti-virus software to reduce the threat of future attacks.

‘’Now they’re just getting more clever,” Janicki said. “We’re always putting layered systems in place to protect the campus.”

UW-Superior took further steps to prevent a ransomware threat at about the same time.

It outlawed ZIP files in emails altogether — a measure Eau Claire also takes.

Eckardt said Eau Claire runs scans on encrypted ZIP files.

“It hasn’t hit us here, because we have it set up on our email, if there’s a password protected zip file, it deletes it,” Eckardt said. “Because of that it didn’t hit our campus yet. If someone has a gmail account, it might come through there.”

UW-Stevens Point also found two cryptolocker threats during the week of Oct. 14.

The first threat was brought onto campus by a student with out-of-date virus software. Luckily, he ran a file backup just before he was infected and tech staff was able to dig the virus off his computer, but the whole process took about two days.

The second threat came to campus in an email and had started to take root when tech staff noticed a problem.

Peter Zuge, of Steven’s Point’s Information Security Office, said staff was able to dismantle the virus before any damage was done. But if they hadn’t caught it, the virus could have encrypted files and spread.

“Cryptolocker is out there and it’s becoming very common,” Zuge said. “Every virus has it’s heyday. Now it’s out there and it’s hot. The important thing is people need to have up-to-date anti-virus.”