It was the morning of August 8, 2019, when members of the Stevens community were greeted by a strange message on their screens.
“Hello,” it began. “Check this message in details and contact someone from IT department. All your files are encrypted with the strongest military algorithms. Do not modify or rename encrypted files — this may cause decryption failure.” Files and data, shortly after opening this message, were encrypted and could not be accessed until decrypted.
But the message, unsigned and unauthored, said that restoring the files would require a payment. “Contact us only if you are authorized to make a deal from the whole affected network. Don’t contact us if you are not a such person.” No ransom amount specified, and few additional details limited further insight into what was going on.
Not one but around 75 people saw this message when they logged onto the Stevens network that morning, leading the Division of Information Technology to take “immediate action,” which meant disabling the Stevens Wi-Fi network and shutting down all user accounts and its associated services — myStevens, Workday, Google Mail, Microsoft Outlook — all of it, unavailable.
It also meant warning users to remain cautious. “We are asking any user who has a Windows computer on the campus network,” admins wrote in an alert the next day, “to immediately power off the computer and leave it off until further communication is sent from the Division of Information Technology.” Staff members with computers — almost all with the Windows operating system — shut down their devices and were left to shift work offline. For some, it was easy. For others, whose jobs rely on internet access, it left entire offices without work to do.
One office, however, had more work to do: the Division of Information Technology. Within days of the attack, a poster hung on the fifth floor of Howe, and in large, red letters on top, the poster bled with the title: “Attn: Students.”
The poster stressed that IT was not yet able to assist with student computers and network access. “Please do not visit the IT Office or the TRAC Office (User Support) for assistance at this time,” it added. “Stevens will communicate to students when they can use laptops and the Stevens network.”
Staff from IT stayed overtime, with snacks and drinks carted in regularly, to resolve the attack quickly.
Over the days after the attack, realizing that interim measures would be less temporary than originally expected, the deadline for tuition payments was extended, DuckCards could not be processed, summer courses were postponed, transfer credit evaluations were put on hold, and student schedules could not be published.
A new Wi-Fi network was created as a temporary way for students and faculty to reconnect students with the internet.
A group of administrators, who called themselves the Emergency Management Team, met around once or twice per day, every day, seven days per week, until August 30 to resolve all related issues. The main priorities of these efforts were initially comprised of ensuring that disrupted summer courses could be completed and launching the Stevens fall semester on time.
President Nariman Farvardin wrote an email to the Stevens community that some of the tasks involved in restoration efforts ranged “from restoring user accounts to testing individual computers and hardware, from enhancing network security to restoring the interfaces between more than a hundred systems used by various units within the university, and many, many more.”
Another priority was identifying how Stevens would respond to the ransom demand — as it was explained in the ransom message that paying the demand was the only way to retrieve the data. Farvardin reported that the ransom demand was not met, as their assessment determined that data could be recovered without paying the demand. Available evidence suggests that no data had been viewed by unauthorized people.
“One question I often hear is, ‘Who was responsible for this attack?’” Farvardin added. “At this time, the identity of the attacker is not known, and, unfortunately, in many cyber-attacks of this nature — which have become alarmingly frequent — the perpetrator is not definitively identified.”
The response towards the cyberattack left damage to critical systems minimal and mitigable, and this response did not involve making any ransom payments. As of this writing, most of the systems and services that were previously shut down are now back up and running thanks to efforts by Stevens’ staff: a new Wi-Fi network has been made available for the Stevens community to use, most features on myStevens have been restored, DuckCards have been distributed to most students, and student schedules have been published. No information has been released to the public regarding the cyberattacker’s identity, but the disruption caused by the cyberattack has been greatly reduced by Stevens’ response.
Be First to Comment