UAB CIO Gonçal Badenes on ransomware lessons learned
“Although it happened two and a half years ago, it still generates anxiety and restlessness to remember it,” is how Gonçal Badenes, CIO of the Universitat Autònoma de Barcelona (UAB), feels about the ransomware attack carried out by the PYSA cybercriminal group in 2021 against the university.
As it often happens on these occasions, the cyber incident took place over the long weekend for Spain’s National Day on 12 October. “They always act when they think you are weaker,” Badenes said during a presentation earlier this year at Dell Technologies World in Las Vegas.
On the day it got hit with ransomware, UAB’s detection and continuity system sounded the alarms after finding that, one by one, the University’s systems were beginning crash. The personnel in charge called Badenes and UAB’s internal security committee to alert them of the situation. From that first minute, all efforts were aimed at understanding what happened, how it happened, and what must be done to recover.
Here is how, despite the initial uncertainty, mammoth work, and feeling of permanent vulnerability, Badenes and his team managed not only to survive the cyberattack but build back stronger and more secure.
The importance of preparation
Prior to getting hit with ransomware, the university had established a response plan that aligned with the Spanish National Security Scheme. As a result, the UAB’s team of security specialists were prepared and had developed its own methodology to address a situation of this nature before it occurred.
“We knew it could happen, we had taken action on the matter; just as you do a fire drill once a year, we did the same with cybersecurity, it was a subject that we took seriously,” Badenes said.
The attackers managed to encrypt the data repository of the university’s VMware virtualization platform and its backup, but the university had a second copy of the backup and another on tape. The main attack, the CIO recalled, was on the Data Processing Center, but there was a side attack on the virtual campus, where attackers deployed a PowerShell script that started encrypting user computers that were active on campus and connected to the university system.
“This, I think, they did simply to increase the visibility,” he said. “The damage they did was very limited and thus ensured that both ICT staff and the student community knew what was happening.”
Badenes said that at first the plan was to disconnect from the network and shut everything down to minimize the damage. However, “the magnitude of the effect that stopping everything has is difficult to imagine until you are faced with the situation.”
Having gone from a mostly in-person university experience to a digital one during the pandemic, things had to be reversed to deal with the ransomware incident, which is challenging — especially when you have to inform staff and students and all systems are down. To solve this, Badenes contracted with a hosting service that created a temporary WordPress page for updates on the state of the attack, while also opening a public channel on Telegram.
At this point, Badenes and his team noticed that “the internal protocols you have, however fast and structured, are too slow when the action must be immediate.”
A key part of UAB’s response plan that helped tremendously was having identified, in advance, a company that could help the university in the event of an incident, Badenes said. “This meant that we did not waste hours or days that in such a circumstance are extremely valuable.”
At the time, UAB worked with the Catalan Cybersecurity Agency, which joined the efforts on its own initiative, as well as the Data Protection Agency, the police, technology services provider S2Grupo, and Dell Technologies.
The university believes the attack vector was made possible by phishing a student’s credential. The result of the attack was 1,200 servers and 10,000 computers were out of service and more than 50,000 users were affected.
Ignoring the ransom
Forensics by the Catalan Cybersecurity Agency found that corporate databases remained immune; therefore, academic records, financial information, all the personal information of the corporate staff remained safe. “The amount of data leaked, in the worst case, would have been minuscule.”
At this point, the question of whether to give in to the attacker’s ransom demands or stand firm was raised — a dilemma all IT leaders face in such situations.
Badenes and team decided to stand firm.
“We neither paid nor contacted them,” he said. “We completely ignored the ransomware notes.”
Badenes said the decision was made for ethical reasons and legal reasons, and “because we had no possible way of doing it as a public entity since any expense of more than €15,000 euros implies us starting a public tender process.”
“I think the attackers never understood the idiosyncrasy of attacking a public entity in [Spain],” he said with some sarcasm.
Having not looked at the note, Badenes wasn’t aware of the ransom the attackers wanted to decrypt the university’s data assets.
“We later learned from the press that investigated it, that they were asking for a ransom of €3 million, which would be 1% of the university’s budget,” he said.
Recovery and moving forward after a ransomware attack
The first backup had been destroyed and so was the second. It took UAB and its response partners 10 days to figure out that the third — tape — was safe. But Dell checked the encrypted backups as well and found out the second one wasn’t lost.
At that point more than one sigh was heard. “The level of stress dropped considerably,” Badenes said.
The next step was to restore everything that had been destroyed, but, as the CIO points out, “You have to be sure that all the systems are clean. When an attack like this occurs, it doesn’t just encrypt systems; they may also have left backdoors.”
Aware of this, Badenes took the reins and strategically decided to redo critical systems from scratch: backup, identity, databases, and virtualization. “We reinstalled them from scratch,” he said. “We applied all the updates and only then did we start to dump in the data to prevent any malicious configuration from sneaking in.”
Systems were down for two weeks. “The first service began to be restored 15 days after the attack; after two more weeks, the critical services for the university were all up and running,” Badenes said. “The total recovery occurred three months later, although they were relatively small things.”
Lessons learned
In October, Badenes joined CSO Spain for its Cybersecurity Forum event to discuss UAB’s security takeaways from the incident.
“Most institutions have a 24/7 service in terms of business continuity, but not in terms of security and this is a mistake,” Badenes told CSO Spain and event attendees. “The ‘business’ area never wants to stop services, but it is necessary to do so in order to apply patches and perform updates.”
Badenes continued: “For example, although we had installed two-factor authentication for students to access the Office 365 platform, this was not the case for the VPN.”
After the attack, UAB IT implemented 2FA in all services and renewed end-user equipment, much of which was obsolete. “In fact, the management of the user equipment, until the cyberattack was decentralized, became centralized,” he said. “Not updating computer equipment is a big risk and a possible gateway.”
Another lesson learned, according to Badenes, was the importance of having different layers of security in different places, and using different technologies. For UAB, he explained, having those layers saved them from data loss.
The CIO also stressed the need for public institutions to allocate more investment and resources to cybersecurity.
“At the time of the cyberattack, the UAB did not have a CISO as such, but I acted as CIO and CISO of the institution,” Badenes said.
This changed after the incident and UAB now has a CISO.
This story was translated from Spanish and the quotes from Gonçal Badenes are from his talk during Dell Technologies World in the US in July 2024 and from an event organized by CSO and IDC in Spain in October 2024.