By Travis Hendryx, Office of Public Relations
In the wake of the recent ransomware attack, Sul Ross State University continues to make progress in recovery efforts.
According to the Office of Information Technology, many services and desktop computers have been scanned and are approved to be on the network.
OIT said in a Facebook statement the list of machines is being determined by the Executive Cabinet members in order to concentrate on computers that have the greatest impact for the institution.
Sul Ross faculty and staff have been urged not to turn on or use any office computer for any purpose until approved by OIT.
While certain aspects of the recovery are slow, measures are being taken to avoid further disruption of services.
Nearly a week into the incident, university technology staff, with the help of other state agencies and a consulting firm, are facing the challenge of unpacking the elements of the cyberattack
“The reality of these kinds of attacks is they are multi-faceted,” said Chief Information Officer David Gibson. “They occur over a long period of time and can go largely undetected.”
Initial findings of the investigation estimate the injection of the Trojan, Trickbot, into the network occurred in March of this year.
“Trickbot acts like a spy in that it watches and learns about our environment and evaluates what takes place in the system and how those systems are most easily compromised,” Gibson said. “Once Trickbot settles on a computer system, it receives instructions from its ‘command-and-control’ (C2) server somewhere else in the world.”
At 11:50 on the night of June 21, Trickbot received instructions from the C2 server to encrypt the Windows servers on all campuses.
“Remember, these kinds of injections usually begin as phishing attempts when an unsuspecting user clicks onto an email link,” said Gibson. “That is all that is needed to inject the trojan into the network.”
Gibson said the goal of ransomware hackers is not to harvest or steal information but to commit a “cyber” kidnapping and demand payment for the return of what was encrypted.
“What they do is encrypt or corrupt information then demand money to release that information back to the system.”
Gibson added the particular ransomware that struck Sul Ross is not unique to the university.
“I hate to use the word ‘normal’ but this is how the world is today,” he said. “The real change from today to maybe what we had a year or two ago is how these things are becoming very intelligent.”
In its infancy, ransomware typically attacked just one computer but, according to Gibson, malware has evolved with the ability to corrupt entire state agencies and large businesses.
“Every computing platform is capable of suffering this kind of attack including Macs,” said Gibson. “There are different variants and each variant attacks because they have different operating systems.”
“It’s important to understand that this attack was directed at Windows servers specifically,” he said.
“Other operating systems such as Linux and MacOS were not affected by this variant of malware because that was not the attack vector for this version of Trickbot.”
“This Trojan will also not infect your smart phone or your tablet,” he said.
While continuing efforts to set the system back on its feet are time consuming, Gibson said server backups play a critical part to ensure that permanent damage from the attack is not inflicted.
“Although this has been painful for everyone in the university community with the temporary loss of services, the bottom line is we have very good backups.” said Gibson. “We will be able to recover everything.”
“Many other agencies across the state and nation either have to start all over again or pay the ransom because they lacked adequate backup measures,” he said. “Sul Ross never asked what the ransom was simply because we have great backups and don’t need to consider paying the ransom.”
“By the time we discovered we were experiencing a ransomware attack we immediately started blocking access to the network,” said Sul Ross President Bill Kibler. “The staff at OIT jumped right into action to take steps to protect the university.”
Kibler said one of the first calls to action was to ensure that mission-critical functions of the university were in full operation.
“First and foremost our primary mission is to provide an education,” he said. “So we needed to make certain that students had access to classes, specifically Blackboard.”
Because of identification authentication involving a single sign on, students were initially denied access to certain channels through the website following Saturday night’s attack.
“This meant that simple login to your computer was blocked,” Kibler said. “Dave and his team began working on a backdoor entrance that involved some lengthy phone conversations with representatives from Blackboard.”
“So our students are able login to Blackboard again thanks to Dave and the others at OIT working in constant communication with the people at Blackboard,” he said.
Another area of concern was payroll. “We had a quick meeting Monday morning to flesh out some solutions,” said Kibler. “But fortunately Human Resources already had emergency response plans in place.”
“Because of the quick action and the understanding that this was of critical importance, OIT immediately scanned the computers in Human Resources to ensure our employees get paid on time,” he said.
Kibler also added that several other corrective measures are taking place simultaneously.
“OIT is working on Banner access for accounting purposes so we can take care of business like paying our bills and make sure that we are functioning at as a normal level as possible,” he said.
“Email access will take priority next but until that time, our faculty and staff were encouraged to create temporary accounts to continue doing business.”
Kibler also praised the faculty for their response to the recent attack.
“Our faculty members have really stepped up to the challenge and have worked continuously with our students and have offered flexibility in trying to work through this ordeal,” he said.
Echoing Gibson’s sentiments, Kibler said that while the attack provided challenges to the university community, the incident was not a crisis.
“We already had emergency response plans in place,” said Kibler. “Because of those measures along with cyber security insurance and the creativity of our faculty and staff, business has continued and our mission of providing our students with a quality education remains.”