Sul Ross State University is recovering from a ransomware attack that affected the campus’ computer systems since June 21. The university said in a statement that many of its services and desktop computers have been scanned and approved to be on the network.
The office of information technology said the list of machines approved to be back in service is overseen by members of the executive cabinet “in order to concentrate on computers that have the greatest impact for the institution.”
Sul Ross faculty and staff have been urged not to turn on or use any office computer for any purpose until approved by tech support.
“While certain aspects of the recovery are slow, measures are being taken to avoid further disruption of services,” the statement reads.
The university’s tech support department, with the help of other state agencies and a consulting firm, are facing the challenge of unpacking the elements of the cyberattack
“The reality of these kinds of attacks is they are multi-faceted,” said Chief Information Officer David Gibson. “They occur over a long period of time and can go largely undetected.”
According to the university, initial findings of the investigation estimate a Trojan virus, Trickbot, was introduced into the network in March.
“Trickbot acts like a spy in that it watches and learns about our environment and evaluates what takes place in the system and how those systems are most easily compromised,” Gibson said.
“Once Trickbot settles on a computer system, it receives instructions from its ‘command-and-control’ server somewhere else in the world.”
On June 21, at 11:50 p.m., Trickbot received instructions from the command and control server to encrypt the Windows servers on all campuses.
“Remember, these kinds of injections usually begin as phishing attempts when an unsuspecting user clicks onto an email link,” said Gibson. “That is all that is needed to inject the Trojan into the network.”
Gibson said the goal of ransomware hackers is not to harvest or steal information but to commit a “cyber” kidnapping and demand payment for the return of what was encrypted.
“What they do is encrypt or corrupt information then demand money to release that information back to the system.”
The attack on the university is far from being the first one of its kind, not even in South Texas.
The city of Del Rio suffered a similar attack, hacking computer systems and disrupting services such as billing starting on Jan. 10. The services were back up until March 25.
Gibson said the particular ransomware that struck Sul Ross is not unique to the university.
“I hate to use the word ‘normal’ but this is how the world is today,” he said. “The real change from today to maybe what we had a year or two ago is how these things are becoming very intelligent.”
In its infancy, ransomware typically attacked just one computer but, according to Gibson, malware has evolved with the ability to corrupt entire state agencies and large businesses.
“Every computing platform is capable of suffering this kind of attack including Macs,” said Gibson. “There are different variants and each variant attacks because they have different operating systems.”
“It’s important to understand that this attack was directed at Windows servers specifically,” he said.
“Other operating systems such as Linux and MacOS were not affected by this variant of malware because that was not the attack vector for this version of Trickbot.”
“This Trojan will also not infect your smart phone or your tablet,” he said.
While continuing efforts to set the system back on its feet are time consuming, Gibson said server backups play a critical part to ensure that permanent damage from the attack is not inflicted.
Sul Ross State University President Bill Kibler said several other corrective measures are taking place simultaneously, including accounting adjustments to pay bills and making sure the university works as normal as possible.
“Email access will take priority next but until that time, our faculty and staff were encouraged to create temporary accounts to continue doing business.”