The criminals who took out Scotland's Dundee and Angus College made a ransom demand that precisely added up to the contents of its bank account – and that was no accident, its principal has said.
In a postmortem interview with academic IT nonprofit Jisc, Simon Hewitt lifted the lid on the 31 January ransomware attack, which went on for days and saw the college's entire IT estate almost completely wiped.
"The cyber attackers had managed to get access to our bank account and knew how much money we had in it, which was the budget for the whole year. They demanded a ransom of exactly that amount, which we were never going to be able to pay," Hewitt told Jisc.
The college, which has around 5,000 students and is based on Scotland's east coast, had to tell all students and staff to reset their passwords after rebuilding the IT estate. At the time a student told us: "I got in on Friday but couldn't get any material out [from college servers]. Loads of my class are worried in case the Graded Unit has been lost, with no way to directly contact college or IT bods... loads of classmates are in panic mode in case work has been compromised or vanished."
Hewitt, who at the time of the attack was vice-principal in charge of IT, explained how the college had obtained the NCSC's Cyber Essentials certification, which provides a measure of cybersecurity assurance, barely months before the ransomware criminals got in. Even a fake phishing exercise designed to raise staff awareness didn't help.
Sodinokibi/REvil ransomware gang pwns British housing biz via suspected phishing attackREAD MORE
"At the end of 2019 we were proud of the fact we had got Cyber Essentials in place, but it didn't 'save' us," he said. "We've got Cyber Essentials Plus now, but I think it's easy to get caught up in certifications and to become complacent… no amount of training or documentation prepared us for how people reacted."
Recovering from the attack consisted of fast-forwarding the college's existing digital strategy, rolling out Microsoft Teams and OneDrive across the entire organisation and shifting as much as possible into the cloud – moves that "had a financial impact", in Hewitt's words, but gave the IT bods hope that recovery from any future attack would be easier than rebuilding the whole network from scratch over five days, as happened to the college.
Although Hewitt did not say whether or not the ransom was paid – it appears not, judging by the amount of effort needed to rebuild the college's IT systems – the damage caused came close to wiping out the entire institution. As he told Jisc: "I remember that at 02:20 on Saturday morning [the day after the attack] it dawned on me that, in a digital sense, there was no college; everything had been wiped. That was a pretty low moment."
Public-sector institutions are an increasingly popular target for ransomware criminals. A Brazilian court was laid low by a ransomware attack only this morning, while hospitals have, sadly, become ever more popular among the kind of scum who think nothing about the misery they cause in pursuit of money. ®