College information security officers returned to work on Monday with their fingers crossed.
Universities in the U.S. dodged the initial wave of a massive cyberattack that, among other disruptions, paralyzed hospitals in Britain, shut down telecommunications services in Spain and brought a temporary halt to Renault’s production line in France. But as Monday dawned across Asia, new incidents sprang up across the continent -- including at prestigious universities in China -- leading some in the U.S. to fear what awaited them in the coming workweek.
However, by the close of business Monday, some cybersecurity experts breathed at least a temporary sigh of relief.
“It does seems as if U.S. higher ed was not badly hit by this attack, and reports from other information-sharing organizations indicate that U.S. sectors [and] regions may have been able to mitigate the threats and contain damage,” Kim Milford, executive director of REN-ISAC (short for the Research and Education Networking Information Sharing and Analysis Center), said in an email.
The attack, known as Wanna Decryptor, WannaCry or WCry, is a type of “ransomware,” malicious software that encrypts the files on a computer until users pay to unlock them. It is not a new type of attack, but one that is growing in favor with hackers because many victims will pay up rather than go through the hassle of restoring the encrypted data from a backup.
Ransomware comes in many forms. This particular attack spreads by exploiting a vulnerability in older and unpatched versions of Microsoft Windows. Microsoft fixed the vulnerability in its newer operating systems in March and on Friday patched older versions of Windows as well.
Rapidly climbing estimates suggest the attack has affected more than 200,000 computers in at least 150 countries.
A ransomware spreading in the lab at the university pic.twitter.com/8dROVXXkQv— １２Ｂ (@dodicin) May 12, 2017
Brazosport College in Lake Jackson, Tex., was one of the few institutions in the U.S. that reported cases of the WannaCry attack Friday. The public college, which has about 4,300 students, discovered a total of two computers infected with the malware, said Ron Parker, director of information technology. Both computers were wiped clean, he said.
“We are fortunate to have the resources to be able to properly maintain our systems and to protect them with enterprise-class commercial firewalls and other cybersecurity technologies,” Parker said. “Some organizations, particularly nonprofits like us, really struggle with that. Unfortunately, it is very expensive to connect an organization to the wild west of the internet and protect it properly. And, having those systems is no guarantee that something didn’t work right, and so something was left vulnerable.”
On a normal day, Brazosport’s network consists of about 1,500 college-owned computers and anywhere from several hundred to a few thousand devices owned by faculty members, staffers and students, Parker said. Since containing the outbreak, the IT department discovered that the two infected computers had not received the update that fixed the vulnerability. The college is now searching the rest of its network in case other computers were affected, he said.
“Probably like many organizations this morning, we’re cautiously optimistic that things will be OK,” Parker said.
Milford suggested the timing of the attack -- a Friday in the middle of graduation season -- may be one of the reasons why colleges in the U.S. have seen fewer incidents of WannaCry than other sectors and parts of the world. She also credited the work of the cybersecurity researcher who goes by MalwareTech, who was able to put a temporary stop to the attack Friday.
But Milford, like MalwareTech, warned that the attack could resurface, like a virus that mutates to resist a treatment. (And sure enough, by Monday afternoon, the cybersecurity company Check Point Software said it had stopped a new variant of the malware, Reuters reported.)
“We know the attackers will update their code with a workaround, so we can anticipate more,” Milford said. “There will also be copycat attacks. I’m reading reports of income earned from the ransoms thus far around just $20,000. Even if there isn’t big money in it, there’s big notoriety.”