Government of Nunavut slowly rebuilds computer network following ransomware attack
“Lots of people ask me when we will be back online and that’s a real difficult question to answer”
Here’s a look into the storage area in Iqaluit where the Government of Nunavut IT teams are reformatting computers affected by the Nov. 2 ransomware attack. (Photo courtesy of the GN)
Now into the second week since the Nov. 2 ransomware attack that kicked the Government of Nunavut offline, employees in Iqaluit have started to see working computers reappear on their desks.
That’s a sign of progress in what is likely to be a lengthy process.
“Lots of people ask me when we will be back online and that’s a real difficult question to answer,” Dean Wells, the territory’s corporate chief information officer, told Nunatsiaq News.
The information technology team plans to continue getting things back online first in Iqaluit, department by department, “piece by piece, and then “community by community,” he said.
Last weekend, the territory-wide reformatting of computers affected by the cyberattack got underway after about 2,700 computers in Iqaluit were picked up and taken to a warehouse in the city.
There, the computers were cleaned and reformatted.
“And we took this opportunity to do some extra work and do some inventory,” Wells said.
IT teams have now started to reinstall some of the machines back in the departments of Finance, Family services, Justice and at the Qikiqtani General Hospital, he said.
That’s just the start.
It will be different process for the communities, Wells said, due to the lack of facilities—and “there aren’t as many machines.”
So it’s one process for Iqaluit and another for communities, he said.
Future plans involve IT staff travelling to communities outside Iqaluit where they will visit every work station and do the reformatting work onsite with local IT technicians.
This means that, for now, about 1,500 GN employees outside Iqaluit still can’t turn on their computers.
“We can’t do the communities until we get Iqaluit back online. We have to get here running first, and we’re not finished yet,” Wells said. “We’ll be a few days yet for sure.”
As for the ransom that the ransomware attackers hoped to walk away with, it wasn’t just about money, usually paid in the form of bitcoin, an online, unregulated currency.
Wells said “the way that they asked us to respond to them was innovative because they wanted us to provide information to them that would have revealed more to them” and perhaps opened the way for more future attacks on other systems.
Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a ransom to the attacker.
In many cases, the ransom demand comes with a deadline and warns that if it’s not paid in time, the data will be destroyed.
So the decision was made “we’re not going to do this,” Wells said.
The backed-up GN data is good back to Nov. 1, Wells said, so there shouldn’t be any loss of information in the long run.
For now, until the system is fully restored, the GN can be reached by phone, fax and voicemail.
If you calculated lost productivity into the expense of IT services and repair, I wonder what the total costs for this debacle might look like?
@pants down it says in the article that the attackers requested payment which would have further compromised the network and allowed for future attacks. Better to not buy into terror and secure up their network, which is what most experts (not fellow terrorists) suggest.
I didn’t make any reference to paying the attackers. I was only wondering what the total cost for all this might be in the end.
How has the director not stepped down and the Network team let go? There is zero reason that this should have spread as bad as it did. They must have zero network security controls between departments and networks. I bet they run a entirely flat network all on a /21 private segment… I would be embarrassed
How much you want to bet? I’ll bet you my careers earning you wouldn’t last 10 minutes in a network team. I also like how you say the network team. You do realize the network team doesn’t do end device security right. But that’s ok, at least you tried sounding cool about a /21 segment…..keep trying though.
Want to bet? You already lost that bet, it’s clear there was no ACLs between there segments… most likely SMB was wide open. It’s painfully obvious you have no idea how ransomware works and how to contain it.. I truly hope you haven’t worked in any type of Enterprise environment.. I’m surprised they had offsite backups.. ransomware is simply not just a endpoint security issue, anyone with any merit knows security is a layered approach, the endpoint is just the entry point, the network spreads it.
They did the right thing by not giving in to the ransom, and had basic measures in place such as nightly snapshots to minimize data loss.
The best steps they can take now are to investigate how the ransomware got in and remediate the security issues so that this doesn’t happen again, as well as work on their recovery plan for speeding up the time to get back up and running.
Having a revolving door of all staff in charge of security operations isn’t anywhere near as helpful as building up experience around how their systems work and can be improved.