Authors of cyber attack on UAB threaten to publish information

BarcelonaThe perpetrators of the cyberattack that disabled the computer services of the Universitat Autònoma de Barcelona (UAB) 30 days ago have once again shown signs of life. A few hours ago, the dark web page of PYSA, the group responsible for the ransomware (digital kidnapping software) used to carry out the cyber attack, published a list of companies and organisations they threaten to make public the information obtained in their latest cyber attacks. The UAB is on the list, and they warn that "coming soon" they will publish the information they have. The list also includes a date: Wednesday 10 November, which could indicate when the publication will take place, if the threat is real.

The malware encrypted more than 650,000 UAB folders and files, according to the list of affected documentation to which the ARA had access, and the criminals are demanding 60 bitcoins to decrypt them (at the current price, almost 3.5 million euros). These are files such as minutes of meetings of university bodies, student evaluations, teachers' curricula, academic programmes and certificates, invoices, payroll of university staff, lists of email addresses, building plans, payment orders, reports and studies, agreements with companies and institutions, contracts and even a list of security incidents on campus for eight years.

Moreover, cybercriminals from the ransomware family PYSA practice double extortion: not only do they encrypt the victim's files so that they cannot access them if they do not pay, but they also usually copy them before encrypting them and threaten to distribute them if they do not pay. The rector's commissioner for information and communication technologies, Jordi Hernández, insists to the ARA that there is "no technological evidence" that there has been "a massive extraction of data" from the servers, although the files have been encrypted. The UAB is also waiting to see what might happen on Wednesday. Hernández does not rule out that the attackers, whose level of "experience" stands out, have been able to circumvent the usual detection systems, have obtained more files than expected and publish a small sample to continue demanding the ransom, following the "usual pattern" of this type of crime.

The commissioner guarantees that the institution's corporate databases "have not been breached". Depending on whether a leak finally occurs and its scope, the university will contact the Data Protection Agency, with which it has worked closely this month. "It makes no sense to make a warning about possibilities", says Hernández. UAB sources insist that they will not give in to economic blackmail and explain that they are not aware that any specific amount has been requested, because they do not plan to contact the attackers, following what the Catalan Cybersecurity Agency has recommended.

A contingency virtual campus

The attack took the university back three decades, as it left it without access to the network and to documents, spaces and online programmes. Now it has been possible to re-establish the network connection, most e-mail accounts have been recovered - with a double authentication system -, virtual classes and file sharing can take place and the Microsoft platform can be accessed. The university's virtual campus is still not working, but, according to Hernández, the technicians have an "alternative contingency" ready: through Teams, the application they used for virtual classes during the pandemic, they have been able to reproduce the virtual campus environment "enriching" the product with new "group work functions".

For the moment, neither the database nor most of the university's financial management applications are operational. Hernández admits that this is one of the "priorities" at this point, for the "financial survival" of the institution: research funds and some registration fees could not be incorporated in the last month.

As for the documentation and information, the university technicians are recovering the archives with their own means, an job that has been going on for a month now and is still far from finished. Hernández explains that it will be possible to recover the backup copy from the day before the attack, but it is not ruled out that some documents or research files, for example, may have been lost. At the moment they are also looking for an alternative so that researchers will once again have a solution that will allow them to continue working.