After ransomware attack, Nunavut will reformat all GN computers

“We’re not even looking at what it’s going to cost us,” premier says

Nunavut Premier Joe Savikataaq says there’s no cost estimate or timeline for when the Government of Nunavut’s computer systems will return to normal, following a Nov. 2 ransomware attack. (Photo by Dustin Patar)

By Jane George

The Government of Nunavut is collecting the work computers of its employees following the ransomware attack that took down the government’s computer systems.

Since the attack on Saturday, Nov. 2, GN employees have used paper, telephones and faxes for communications.

The GN said in a release the computers will be “collected and reformatted by GN IT,” which “aims to return computers within 24 hours, and thanks GN employees for their patience.”

Judging by the number of employees in the public service, more than 5,000 GN computers are likely to be in use across the territory in various offices, schools and health centres.

Dean Wells, the territory’s corporate chief information officer, told Nunatsiaq News on Wednesday that “we’re looking to servers and work stations and trying to find out as much as we can about this ransomware.”

Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a ransom to the attacker.

In many cases, the ransom demand comes with a deadline and if it’s not paid in time, the data is destroyed forever.

In the GN case, ransomware encrypted individual files on all servers and workstations.

Wells said he still has many questions about the ransomware, which has kept him working from early in the morning to past midnight since last weekend: “How did this get in? How is this even possible?”

“This really caught us off guard because we had all our firewalls patched,” he said, adding that the security measures were “up to date.”

“When we got the call on Saturday, it really caught us off guard.”

The backups of GN data appear to be OK, Wells said, so “we are not anticipating any loss of data at this time.”

“We will know more tomorrow, but right now this is our belief,” he said.

IT workers have already started rebuilding the GN network, but they want to be “careful and cautious” and don’t want to reintroduce any ransomware, Wells said.

At least 16 IT specialists are working at the task, with four different teams, in four different places, he said.

More answers about the state of the GN network could come on Friday, he said.

One thing is certain: “We would not pay any ransom.”

“We would not be interested in going down that road at all,” Wells said. “We’re pretty confident that we’re going down the right path.”

“The advice we’re getting is that if you pay this you might not get the information you need,” he said, and others might attempt to strike elsewhere.

The RCMP’s cyber crime experts are “working shoulder to shoulder” with the GN team, which includes IT help from a big, Ottawa-based consulting firm, Donna Cona Inc.

Speaking in the Nunavut legislature on Wednesday, Premier Joe Savikataaq said that “we’re not even looking at what it’s going to cost us.”

“We just want to make sure that we can get the system up,” he said.

As for how long that will take, Savikataaq said “within a week or two, we should be operational … but I don’t have a timeline when things will be normal or at the same state as before the virus struck our network.”

Share This Story

(7) Comments:

  1. Posted by Steve L on

    Word of warning. Simple reformatting is not 100%, it should include a DOD level over-write of all storage. I have had apparently defective drives which after a reformat allowed me to use a readily available data recovery program to get lost files. Reformatting like deleting only tells the computer that file locations are no longer there, when in fact they are. A high level wipe ensures everything is gone. And after scan the empty drive with a quality security program. And do all this while disconnected from the internet.

    • Posted by Typist on

      Presumably they will be over-writing not just the data but also the Master Boot Record on each disc.

      All too often, you have back-ups, but don’t have a reliable Restore environment, including the right, guaranteed clean, restore software.

      If the GN has the right people working on this, they know what to do. If the GN does not have the right people on this, Purchasing will have to buy lots of typewriters.

      • Posted by Steve L on

        IF! The operative IF.
        There is always the Emergency Backup Transcription System Pencil and the back of old envelopes
        Anything with an IP address is vulnerable.
        This was probably someone, somewhere with internet access. One system I had an Oracle network requiring each workstation to have a coded client to deal with the server. But no internet access. Google is not your friend and having the ability to access the internet from your station is not always an asset.

  2. Posted by a on

    Is this valid comment by the author?

    “In the GN case, ransomware encrypted individual files on all servers and workstations.”

    Would GN allow files on individual workstations?

  3. Posted by Garnet on

    It may be possible that those backups are still infected, but the payload hasn’t been triggered yet, thus appearing to be ‘good’.

    If people are unsure as to when the infection began, how can they be sure they are not restoring infected backups?

    It would not be good to restore the backups only to have the payload (ransomware) triggered again soon after.

    • Posted by Jaban on

      That’s what’s taking so long. They can’t simply restore everything as it was or the vulnerabilities, if not the malware itself, still exists and can be exploited again.

  4. Posted by Northern Guy on

    Not an IT person but I think that the first order of business is to reformat and wipe the servers then reformat and wipe individual computers. Say goodbye to your files folks!

Join the Conversation

Your email address will not be published. Required fields are marked *

*


Protected with IP Blacklist CloudIP Blacklist Cloud