Ransomware Attack Briefing President’s Leadership Council October 21, 2019
August 8 Cyberattack Summary : • The attack was severe and sophisticated; categorized as a “catastrophic” attack. • It was highly strategic with regard to timing with a university as the target. • There were three main elements: 1. Phishing / account compromise, iteratively escalated 2. Command‐and‐control (C2) 3. Cryptoware / malicious data encryption • Ransom negotiation was sought; we did not engage or pay a ransom.
Timeline: August 8: • Attack begins in early hours; users begin reporting encryption. • Cyber Incident Response Protocol is immediately initiated. • On‐premise systems are intentionally taken down. • Cybersecurity partner is engaged through Stevens cyber liability insurance. • EMT implementation is requested and Stevens declares Level 3 Emergency. • Business Continuity is initiated, and areas prepare for coordination. • Containment and remediation continues overnight.
Timeline, continued: August 9: • Re‐attack is immediate, and live / operational systems are hit in real‐time. • All systems and networks are downed; all accounts are reset. • Internet connectivity is disabled. • By mid‐day, the decision is made to abandon the legacy Stevens network and construct a new, secure, segmented network. • Planning and execution begin on the new network.
Timeline, continued: • August 10‐11: New network is engineered, and implementation begins. BC operations center is established. • August 13: User authentication re‐enabled, Skyline WiFi implemented, cloud services become available. • August 16‐17: Access to O365 email restored, international student processing brought online. • August 19: Student information system and ancillary systems brought online. • August 20‐22: Financial Aid, Student Accounts brought online. • August 23‐25: Students enrolled; course schedules completed. • August 26: Fall 2019 classes begin on time. Recovery of >75 systems continues.
Old PCs become weapons that are used against us. A large number of old, abandoned, unmanaged, and/or unprotected systems across campus, including “shadow systems” had been compromised; it was a practical impossibility to find and eliminate them.
Recommend
More recommend
