Cyberattack on RIT Continues

The cyberattack on RIT and our users (you) by cybercriminals continues. The attack vectors and file names and types are changing rapidly. We’ll provide more information below on what we know so far, but we need you to do the following:

  • If you receive an email with an unexpected attachment or link, verify with the sender BEFORE opening the attachment or clicking on the link. Your colleague’s account may be compromised. The malicious email may come from them.
  • If you notice that you're receiving many undeliverable messages/bouncebacks in your email, change your password and contact your service desk.
  • Please submit suspected phishing/spam by creating a new mail note to spam@rit.edu and attaching the suspicious email. Then delete the suspicious email and/or attachment.
  • If you administer your computer or others, ensure that anti-virus/anti-malware is up to date and functioning.
  • If you have clicked on a suspicious link or opened a suspicious attachment, change your password and contact your service desk immediately.

 

Background

Over the last 2-3 weeks, we’ve seen more than 60 email accounts that are known to be compromised and that have been used for spamming internally to RIT and externally. (This is more compromised accounts than we typically see in a year.) There are probably additional accounts compromised that have not yet started spamming. At this point, we’re seeing compromised accounts among faculty, staff, and students. There is a higher percentage of student accounts compromised now, but that's not unexpected with the return to classes. 

We've received questions about ransomware. Ransomware is malicious software that encrypts the files on a targeted computer and attached drives (including network or cloud drives). The attacker demands a ransom in exchange for providing the key to decrypt the files. As you might expect, victims that pay a ransom are often targeted repeatedly. At this point, we're not see a lot of ransomware, but ransomware attacks are trending upwards. The best way to be prepared for ransomware is to ensure that your data is backed up on a device or drive not continuously connected to your computer.

 

There are several known attack vectors:

  • Spear phishing sent from internal and external accounts and targeted at specific individuals. The spear phishes contain malicious links or malicious attachments. The subject lines are varied. You may receive mail from a colleague whose account is compromised.
  • Malicious attachments NOT detected by antivirus. The attachment names have varied, but we’ve seen invoice.doc, resume.rtf, sixt_receipt, Capital One 360, etc. The attachment names may not match the actual file type. (In other words, a .ppt attachment may actually be a .pdf or something else.)
  • Ransomware attacks using malicious attachments. (Ransomware encrypts your files.)
  • Attempts to use all of the RIT mailing lists to garner additional compromised accounts and send out spam/phishing/malware. (You may have received a list-related non-delivery message last week.)

 

What RIT is doing:

  • Analyzing the attacks and determining and implementing the best technical defenses. However, the attacks are directed at you and you must be vigilant.
  • Sharing and receiving information securely with other affected universities. These attacks are being seen across higher education.
  • Informing the RIT community of best practices and actions we’re taking.

We are in our third week of attacks. This level of threat may be with us for a while. 

If you have questions, please contact us or your service desk. Visit www.rit.edu/security for best practices. Sign up for our Digital Self Defense 101 class, offered Monday April 4th through CPD.

Contact the RIT Information Security Office at infosec@rit.edu

Ben Woelk '07 CISSP
ISO Program Manager
Information Security Office
Rochester Institute of Technology
ROS 10-A204
151 Lomb Memorial Drive
Rochester, New York 14623 
585.475.4122
585.475.7920 fax
ben.woelk@rit.edu
http://www.rit.edu/security/

Become a fan of RIT Information Security at http://rit.facebook.com/RITInfosec

Follow us on Twitter: http://twitter.com/RIT_InfoSec