{"id":811,"date":"2024-11-11T06:00:00","date_gmt":"2024-11-11T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=811"},"modified":"2024-11-11T06:00:00","modified_gmt":"2024-11-11T06:00:00","slug":"uab-cio-goncal-badenes-on-ransomware-lessons-learned","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=811","title":{"rendered":"UAB CIO Gon\u00e7al Badenes on ransomware lessons learned"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

\u201cAlthough it happened two and a half years ago, it still generates anxiety and restlessness to remember it,\u201d is how Gon\u00e7al Badenes, CIO of the Universitat Aut\u00f2noma de Barcelona (UAB), feels about the ransomware\u00a0attack carried out by the PYSA cybercriminal group in 2021 against the university.<\/p>\n

As it often happens on these occasions, the cyber incident took place over the long weekend for Spain\u2019s National Day on 12 October. \u201cThey always act when they think you are weaker,\u201d Badenes said during a presentation earlier this year<\/a> at Dell Technologies World in Las Vegas.<\/p>\n

On the day it got hit with ransomware, UAB\u2019s detection and continuity system sounded the alarms after finding that, one by one, the University\u2019s systems were beginning crash. The personnel in charge called Badenes and UAB\u2019s internal security committee to alert them of the situation.\u00a0From that first minute, all efforts were aimed at understanding what happened, how it happened, and what must be done to recover.<\/p>\n

Here is how, despite the initial uncertainty, mammoth work, and feeling of permanent vulnerability, Badenes and his team managed not only to survive the cyberattack but build back stronger and more secure.<\/p>\n

The importance of preparation<\/h2>\n

Prior to getting hit with ransomware, the university had established a response plan that aligned with the Spanish National Security Scheme. As a result, the UAB\u2019s team of security specialists were prepared and had developed its own methodology to address a situation of this nature before it occurred.\u00a0<\/p>\n

\u201cWe knew it could happen, we had taken action on the matter; just as you do a fire drill once a year, we did the same with cybersecurity, it was a subject that we took seriously,\u201d Badenes said.\u00a0<\/p>\n

The attackers managed to encrypt the data repository of the university\u2019s VMware virtualization platform and its backup, but the university had a second copy of\u00a0the backup and another on tape. The main attack, the CIO recalled, was on the Data Processing Center, but\u00a0there was a side attack on the virtual campus, where attackers deployed a PowerShell script that started encrypting user computers that were active on campus and connected to the university system.<\/p>\n

\u201cThis, I think, they did simply to increase the visibility,\u201d he said. \u201cThe damage they did was very limited and thus ensured that both ICT staff and the student community knew what was happening.\u201d<\/p>\n

Badenes said that at first the plan was to disconnect from the network and shut everything down to minimize the damage. However, \u201cthe magnitude of the effect that stopping everything has is difficult to imagine until you are faced with the situation.\u201d<\/p>\n

Having gone from a mostly in-person university experience to a digital one during the pandemic, things had to be reversed to deal with the ransomware incident, which is challenging \u2014 especially when you have to inform staff and students and all systems are down. To solve this, Badenes contracted with a hosting service that created a temporary WordPress page for updates on the state of the attack, while also opening a public channel on Telegram.<\/p>\n

At this point, Badenes and his team noticed that \u201cthe internal protocols you have, however fast and structured, are too slow when the action must be immediate.\u201d<\/p>\n

A key part of UAB\u2019s response plan that helped tremendously was having identified, in advance, a company that could help the university in the event of an incident, Badenes said. \u201cThis meant that we did not waste hours or days that in such a circumstance are extremely valuable.\u201d<\/p>\n

At the time, UAB worked with the Catalan Cybersecurity Agency, which joined the efforts on its own initiative, as well as the Data Protection Agency, the police, technology services provider S2Grupo, and Dell Technologies.<\/p>\n

The university believes the attack vector was made possible by phishing a student\u2019s credential. The result of the attack was 1,200 servers and 10,000 computers were out of service and more than 50,000 users were affected.\u00a0<\/p>\n

Ignoring the ransom<\/h2>\n

Forensics by the Catalan Cybersecurity Agency found that corporate databases remained immune; therefore, academic records, financial information, all the personal information of the corporate staff remained safe.\u00a0\u201cThe amount of data leaked, in the worst case, would have been minuscule.\u201d<\/p>\n

At this point, the question of whether to give in to the attacker\u2019s ransom demands or stand firm was raised \u2014 a dilemma all IT leaders face in such situations<\/a>.<\/p>\n

Badenes and team decided to stand firm.\u00a0<\/p>\n

\u201cWe neither paid nor contacted them,\u201d he said. \u201cWe completely ignored the ransomware notes.\u201d\u00a0<\/p>\n

Badenes said the decision was made for ethical reasons and legal reasons, and \u201cbecause we had no possible way of doing it as a public entity since any expense of more than \u20ac15,000 euros implies us starting a public tender process.\u201d<\/p>\n

\u201cI think the attackers never understood the idiosyncrasy of attacking a public entity in [Spain],\u201d he said with some sarcasm.<\/p>\n

Having not looked at the note, Badenes wasn\u2019t aware of the ransom the attackers wanted to decrypt the university\u2019s data assets.<\/p>\n

\u201cWe later learned from the press that investigated it, that they were asking for a ransom of \u20ac3 million, which would be 1% of the university\u2019s budget,\u201d he said.<\/p>\n

Recovery and moving forward after a ransomware attack<\/h2>\n

The first backup had been destroyed and so was the second. It took UAB and its response partners 10 days to figure out that the third \u2014 tape \u2014 was safe. But Dell checked the encrypted backups as well and found out the second one wasn\u2019t lost.<\/p>\n

At that point more than one sigh was heard. \u201cThe level of stress dropped considerably,\u201d Badenes said.<\/p>\n

The next step was to restore everything that had been destroyed, but, as the CIO points out,\u00a0\u201cYou have to be sure that all the systems are clean. When an attack like this occurs, it doesn\u2019t just encrypt systems; they may also have left\u00a0backdoors.\u201d\u00a0<\/p>\n

Aware of this, Badenes took the reins and\u00a0strategically decided to redo critical systems from scratch:\u00a0backup, identity, databases, and virtualization.\u00a0\u201cWe reinstalled them from scratch,\u201d he said. \u201cWe applied all the updates and only then did we start to dump in the data to prevent any malicious configuration from sneaking in.\u201d<\/p>\n

Systems were down for two weeks. \u201cThe first service began to be restored 15 days after the attack; after two more weeks, the critical services for the university were all up and running,\u201d Badenes said. \u201cThe total recovery occurred three months later,\u00a0although they were relatively small things.\u201d<\/p>\n

Lessons learned<\/h2>\n

In October, Badenes joined CSO Spain for its Cybersecurity Forum event to discuss UAB\u2019s security takeaways from the incident<\/a>.<\/p>\n

\u201cMost institutions have a 24\/7 service in terms of business continuity, but not in terms of security and this is a mistake,\u201d Badenes told CSO Spain and event attendees. \u201cThe \u2018business\u2019 area never wants to stop services, but it is necessary to do so in order to apply patches and perform updates.\u201d<\/p>\n

Badenes continued: \u201cFor example, although we had installed two-factor authentication for students to access the Office 365 platform, this was not the case for the VPN.\u201d<\/p>\n

After the attack, UAB IT implemented 2FA in all services and renewed end-user equipment, much of which was obsolete. \u201cIn fact, the management of the user equipment, until the cyberattack was decentralized, became centralized,\u201d he said.\u00a0\u201cNot updating computer equipment is a big risk and a possible gateway.\u201d\u00a0<\/p>\n

Another lesson learned, according to Badenes, was the importance of having different layers of security in different places, and using different technologies. For UAB, he explained, having those layers saved them from data loss.\u00a0<\/p>\n

The\u00a0CIO also stressed the need for public institutions to allocate more investment and resources to cybersecurity.<\/p>\n

\u201cAt the time of the cyberattack, the UAB did not have a CISO as such, but I acted as CIO and CISO of the institution,\u201d Badenes said.<\/p>\n

This changed after the incident and UAB now has a CISO.<\/p>\n

This story was translated from Spanish and the quotes from Gon\u00e7al Badenes are from his talk<\/a> during Dell Technologies World in the US in July 2024 and from an event organized by CSO and IDC in Spain<\/a><\/em> in October 2024<\/em>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

\u201cAlthough it happened two and a half years ago, it still generates anxiety and restlessness to remember it,\u201d is how Gon\u00e7al Badenes, CIO of the Universitat Aut\u00f2noma de Barcelona (UAB), feels about the ransomware\u00a0attack carried out by the PYSA cybercriminal group in 2021 against the university. As it often happens on these occasions, the cyber […]<\/p>\n","protected":false},"author":0,"featured_media":812,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-811","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/811"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=811"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/811\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/812"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}