Ransomware: digital hostage taking

13.10.2021

A ransomware attack has a Hollywood feel to it. One last click and a message appears on your screen: All data on your device have been encrypted and will only be released for a ransom payment. What precautions does the University of Vienna take to prevent such attacks? Alexander Talos-Zens of the IT Security team at the ZID has answered a series of questions on this issue.

Click here for practical tips for users on the topic of ransomware.

IT news: What exactly is ransomware?

Alexander Talos-Zens: We are talking about plain and simple blackmail that uses malware (also known as a virus) to exert pressure, destroys data or does something else to the computer. The majority of current malware attacks encrypt the data stored on the device and demand a ransom payment to decrypt the data again. The imagination of impostors knows no limits. For example, some impostors threaten to publish private or confidential data.  You have to be careful with the term. Many people use the term 'ransomware' even if the attack does not involve blackmail or they use it for a 'common' invasion without the use of a specific software.

What are the consequences of a successful attack?

The consequences can be disastrous. On the one hand, they can be disastrous for the person who has just lost research data or the manuscript of their doctoral thesis. But there is more: Suppose some ransomware spreads from one computer in the network to the servers. This does not necessarily mean that everything is broken. A likely scenario is that individual servers are affected (or suspected to be affected) and the administrators have to suspend a large part of the services as a precautionary measure. They basically place the services into an artificial coma until all systems have been analysed and, if necessary, newly set up. Of course, cases such as these make the news immediately and cleaning up can take a long time, unfortunately.

Who does something like that and why?

The stereotype of the 15-year-old computer nerd living under difficult social circumstances that you may know from old films is completely wrong. Professionally organised rings have been dominating the scene for some time now. They are organised more like an enterprise, albeit an illegal one. And what do the criminals want? They want to make money, what else? Encryption and blackmail is a business model that works well at the moment.

So we are talking about organised crime. Not a pleasant thought... 

Of course, IT is part of our society – why should it be more peaceful than others? What helps us is that from a commercial perspective, universities are not an interesting target. They find it hard to quickly raise substantial sums of money and nothing can be achieved without a tendering procedure. In addition, universities can cope with 'production downtimes' better than industrial companies. This provides a certain degree of comfort. Unfortunately, most attacks are not targeted at specific victims but at the broad mass – just like we know it from spam. Therefore, with around 100,000 university members, such attacks can naturally affect us as well. But usually the damage is limited in these cases.

Considering its size, we could compare the University of Vienna to a bank or to a large enterprise. Do they have similar security requirements?

Not at all. Utmost freedom in research and teaching is key. Everything else kills creativity. For example, the university network comprises everything ranging from Windows computers to electron microscopes and I would not be surprised to learn that some laboratory controls its experiments using a PlayStation. Of course, the users want to be able to access all these devices at any time and from anywhere, even from the conference in who-knows-where. In contrast, business enterprises usually work with centrally rolled-out standard PCs on which users are not allowed to install software themselves. Needless to say, in enterprises such as these you cannot access anything from the Internet without a VPN connection, not even the e-mail server. At the University of Vienna, all of this would be unimaginable.

How does the ZID specifically handle the threat?

We rely on a new generation of firewall technology at the University of Vienna. In addition, we carry out security scans and analyse the results together with the operators.  We are occasionally requested to check suspicious files for which we then assess whether they contain malware and how they function. Of course, we also provide support in case of security incidents. Our administrators ensure professional, state-of-the-art security measures for the services operated by the ZID and can react quickly and effectively to security threats. 

What about the central services, such as u:space? They are extremely important for the functioning of the University. Imagine the consequences if data from these services were lost.

We have an excellent backup system to prevent data loss on the central services. This is part of the professional service provided by our administrators. I consider it highly unlikely that we could lose, for example, exam data. Moreover, our heterogeneous and individual server landscape helps us as well: It is not a monoculture that is destroyed by one type of pest. Rather, an attack on this system is relatively complex and not possible using automated bog-standard ransomware. So, from the perspective of the impostors, attacking it is probably unprofitable. But we can never be 100 per cent sure. It would be wrong to think that we cannot be affected. Of course, the most important aspect is to remain vigilant and to improve continuously.

So if services, servers and backups are stored safely, a loss of data can more likely be expected at the level of individual devices?

Yes. An incident at the personal level can be traumatic for the person affected. From the organisational view, however, the damage is usually limited. However, recovering network drives, informing the users about the breach, analysing the extent of the attack, etc. can take considerable effort. Unfortunately, this happens regularly with locally managed PCs that are not managed centrally by the ZID.

What are the limitations of technical solutions?

Computers are highly complex due to the software they use and their networks. Therefore, mistakes inevitably occur but the user now seems to have become the weaker link in the chain.

How can I make kitchen knives safe enough so that nobody can cut themselves? A computer is a powerful tool. This means that you can mess things up considerably in a very short time. For example, if a user launches a malware attack because they believe that they are opening an invoice attached to an e-mail, the computer has done exactly what it has been told to do. These Trojans are probably so common because the quality of the security mechanisms has improved immensely in the past few decades. 

So we need the interplay between safe technology and safe users?

Exactly. The ZID invests a great deal of energy and effort into our courses, the security tips on our websites, newsletters, etc. to ensure that the university members can acquire the necessary knowledge and skills. In addition, the ZID websites provide many tips for users to support them in making work on their devices more safe. The most important safety tip that I can give: Please always back up your data, also at home.

[Translate to Englisch:] Headerbild Foto Talos-Zens