How DMACC fought back: The ransomware attack explained

The DMACC cybersecurity response team prepares for a call with the FBI around 9:30 a.m., June 5, to discuss the ransomware attack.

Note: Names have been changed to protect the identity of the cyberattack response team.

Summer classes were only one week underway when Robert Schmidt, a senior member of the DMACC technology team, received a notification on his phone indicating suspicious activity within DMACC’s database. 

Several accounts were found to be compromised. Multiple servers, some more important than others, were quickly encrypted by an outside user. 

This was the beginning of a cyberattack launched at DMACC on June 1 and took the college offline for nearly two weeks, causing major disruption for summer classes, and ripple effects throughout the school. 

“We realized that our only option was to disconnect the internet because that broke the attacker’s ability to run commands inside our environment,” Schmidt said.

The disconnection affected all DMACC campuses since the Ankeny building feeds all locations across the district. 

“The decision was made because we were going to lose everything, so it was either we cut it or, you know, we’re gonna fail. So, it had to be cut,” said Peter McCoy, a DMACC technology team member.

A firewall was partially opened during the internet downtime, allowing some outgoing activity as necessary.

“We had to do [financial aid] for the students. We had to get registration going. [And] payroll,” stated McCoy.

Instructors teaching summer classes found workarounds by using alternative virtual classroom sites, according to Jeremy Hoffmann, program chair of cyber security.

WHAT IS RANSOMWARE?

Attackers, or “threat actors,” as they are called, used a “ransomware” attack, a strategy that has become increasingly more common in recent years.

Ransomware allows hackers to encrypt data and hold it hostage by means of asking for money in return for the stolen information. Threat actors might ask payments be delivered digitally via cryptocurrency or wired monetary transactions.

The attack came less than a month after the Colonial Pipeline ransomware attack, which shut down a major pipeline carrying fuel to various states across the U.S. The pipeline remained down for nearly a week, partially reopening its lines on May 12. 

“When this occurred it was right around when Biden was going to have meetings with Putin about ransomware and ransomware emanating from Russian territory,” stated Schmidt.

Both the Colonial Pipeline and DMACC attackers have been traced back to Eastern Europe, though it is unclear if the incidents were related. 

FIGHTING BACK

“You’re on hallowed ground,” iterated Schmidt as he and a PowerPoint appeared virtually on a television screen mounted on the wall of a conference room in Building 6. 

The conference room housed the team fighting back against the ransomware attack in June.

“We had departments bringing in baskets full of food because we basically didn’t leave for almost two weeks,” McCoy said.

Schmidt, McCoy, and technology team member George Andrews explained DMACC’s response to the attack for The Campus Chronicle, which the FBI described as “the first time [the FBI] had ever heard of anyone going toe-to-toe with this particular attacker,” according to Schmidt.

“Some [accounts] were a little more important that got encrypted,” Schmidt said. He noted some were merely management accounts providing no student data. 

Kroll, a business specializing in cyber forensics, was called in to give further analysis and combat the attack.

“[Kroll is a team of] outside computer experts that help try to mitigate what’s going on and also do the forensics research required to see how they got in,” Schmidt said.

Photo illustration by Alyssa Monroe

ATTACK TIMELINE

The breach began with an unauthorized user finding their way into a student account. After some “account enumeration” was performed, the user was then able to “query the active directory,” which is comprised of all logins within the college’s database.  

The attackers were able to access the student account through MyLab, a virtual desktop that gives students access to DMACC’s network. The account was quickly deactivated. However, there were more accounts being used to compromise the database, Schmidt continued.

“There were two faculty accounts. There was what we call a generic account, which users can just use to log in but it’s not really assigned to anyone. There was a shared mailbox. Then there was a vendor that we use. One of their accounts got compromised,” stated Schmidt.

Through the vendor account, a service account was utilized to break into an administration account. Having access to an administrative account enabled the attackers to retrieve user information and user credentials, according to Schmidt.

Communication with the threat actor led to the discovery that 21 documents contained Personal Identifiable Information including names and Social Security numbers. 

The remainder of the stolen files did not contain any personal student information and mostly consisted of classroom agendas and other innocuous material, according to Peter McCoy.

Those whose identity information was compromised by the breach were alerted by DMACC’s insurance company. 

“[The attackers] could steal their identity. So, we’ve offered up through our insurance company how you lock your identity or lock your account,” Andrews said.

Once a deadline of June 30 was given to DMACC by the threat actor, Booz Allen Hamilton, an information technology consulting firm, was brought on to analyze the note sent to DMACC,  observe the dark web, and ensure none of the stolen files were leaked online. 

“Based on that ransomware note … they know what kind of attack and what kind of group it is. They know where they go,” Andrews said.

It was concluded none of the information was put on the dark web after a month-long search by trained experts.

Upon questioning, the attacker revealed several documents which would prove “worthless,” according to McCoy and Schmidt. 

“Faux negotiations” were employed as a stall tactic and allowed the recovery team to retrieve what information was stolen without paying the ransom.

This method of obstruction allowed DMACC to keep their backup systems from becoming encrypted, which resulted in minimal loss of the school’s database and led to the restoration of many systems, according to McCoy.

WHAT’S CHANGED SINCE THE ATTACK?

In-person classes resumed June 9. Online classes began coming back online June 16, with all users resetting their passwords. The summer semester was not extended, so faculty had to brainstorm innovative ideas to fit class material into an already short summer semester.

In the end, DMACC did not pay the ransom and the amount attackers were asking for remains undisclosed. Since then, the school has implemented college-wide preventative measures to mitigate a future breach.

Students and faculty might have noticed a new automatic Multi-Factor Authentication requirement. This verifies a user’s identity once they have logged in through MyDMACC by sending an additional text or email with a numerical passcode that the user will enter along with their credentials. 

The most notable change implemented to prevent future attacks has been the removal of local administrator rights, according to Schmidt.

“It’s not just installing software. Those administrator accounts can do anything on the computer itself, including harvest credentials of accounts that have been logged into,” Schmidt said.

With local administrator rights, users could manipulate a domino effect of obtaining user credentials and reserving the right to do what they wish on any computer.

“It’s kind of like a tree where you would go into one [computer], and then it could just blossom into all the other ones and you can take over everything,” McCoy said.

WHAT CAN YOU DO?

As far as individuals protecting themselves, the team suggested using password managers as a way to keep your accounts secure.

“If you’re using an Apple device, their password manager is great. If you’re using an Android device, their Google password manager is great. You can access it from your phone, you can access it from your account on a system,” explained Hoffmann.

Password managers are reliable and convenient since they automatically generate strong passwords that you can save and remember on your device. It’s recommended individuals change their passwords frequently to avoid their accounts becoming compromised. Additionally, refrain from using the same password on multiple sites.

These services will also notify users if their account was part of a data breach and suggest changing the password.

Though avoiding weak passwords, changing them frequently, and using strong characters all help to protect online users, these recommendations are never foolproof. 

Schmidt concluded with one last surefire tip: “The only perfectly secure computer is one that is turned off.” 

 

 

 

 

 

Leave a Reply