U of C ransom payout better than battling hackers, expert says

John Aycock, Paying a $20, 000 ransom may seem like a lot of money, but one expert says it’s better than trying to wrestle control of the system back from hackers at the risk of losing data.

University of Calgary officials announced Tuesday they paid hackers a week after ransomware encrypted staff and faculty emails.

John Aycock, an associate professor in the computer science department at University of Calgary, told the Calgary Eyeopener the decision deserves a bit of context. With a faculty of more than 1,800, he said an hour of their time — even if they made minimum wage — would cost more than $20,000.

“In context, even if you say you’ve saved an hour of everyone’s time, you’re actually ahead of the game in the big picture, so you could actually argue the university in fact got a bargain in some ways.”

John Aycock, an associate professor in the computer science department at the University of Calgary, said the ransomware attack on the University of Calgary shows if an institution that big is vulnerable so are small- and medium-sized businesses. (Dave Dormer/CBC)

John Aycock, an associate professor in the computer science department at the University of Calgary, said the ransomware attack on the University of Calgary shows if an institution that big is vulnerable so are small- and medium-sized businesses. (Dave Dormer/CBC)

A release from the U of C describes ransomware as “an unknown cyberattacker locking or encrypting computers or computer networks until a ransom is paid, and when it is, keys, or methods of decryption, are provided.”

“We [paid the ransom] solely because we need to protect the quality and nature of information that we generate at the university,” said Linda Dalgetty, vice-president of finance and services at the U of C.

Attacks becoming more sophisticated

Aycock warned hackers are becoming increasingly sophisticated in their attacks.

“Ransomware isn’t a new thing, the earliest examples go back to the ’80s,” he said.

Aycock says it’s gotten better over time to the point where if your files are encrypted, unless the bad guys have made some really grievous errors, you can’t decrypt it.

“It doesn’t matter how many computers we have to throw at the problem or how many smart people, if it’s done right you simply won’t be able to decrypt it, so your options become, ‘How do we strategically manage the situation? How do we deal with the risk involved?'”

There are lessons to be learned from the attack.

“The big lesson is that the university does have people who are paid to do IT and even then this sort of thing can still happen,” said Aycock.

“You think of all the people who haven’t backed up their home computers who have small businesses and don’t have these IT departments and they have no plan in place to deal with this, so I think this is perhaps a lesson if you like and acts as a wake-up call for people who haven’t considered this scenario and who aren’t maybe taking as many precautions as they might.”

Not alone

The U of C may be one of the most high-profile victims, but they are not the only ones. Last December, Kensington Wine Market said a ransom had been paid after its computers were hacked.

Aycock said there are many more victims who haven’t gone public.

“Certainly there are lots of businesses where this would potentially be bad for their image if it got out they had been hit by ransomware and had paid the ransom,” he said.

“So I actually think there’s some credit to the U of C actually ‘fessing up to this and if there’s a message it’s that even if an organization like the U of C is vulnerable, maybe it’s time to make sure you’ve taken adequate precautions.”

Calgary police are investigating the U of C attack.

By Dave Dormer, Stephanie Wiebe, CBC News Posted: Jun 08, 2016 6:01 AM MT