Cyber Incident Victim: University of Montreal
Date:
May 2017
Location:
Canada
Summary
The University of Montreal experienced a WannaCry ransomware infection affecting approximately 120 of its 8,300 managed computers during the global cyberattack exploiting the EternalBlue vulnerability. The institution's IT department responded by reinitializing compromised systems over the weekend, containing the incident without operational disruption to academic activities. This outbreak, which encrypted data and demanded Bitcoin payments, impacted numerous organizations worldwide including healthcare systems and automotive manufacturers, though the university maintained normal operations throughout the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The WannaCry ransomware attack, which began globally on May 12, 2017, impacted the University of Montreal's computer systems between the evening of May 12 and May 14. The virus exploited vulnerabilities in unpatched Microsoft Windows operating systems using the EternalBlue exploit, which had been developed by the U.S. National Security Agency and leaked by the Shadow Brokers hacking group. At the University of Montreal, approximately 120 computers out of 8,300 managed by the institution's IT department were infected. These systems experienced data encryption and ransom demands characteristic of WannaCry, which typically demanded payments in Bitcoin ranging from $300 to $600 for decryption. The university's IT team responded by working through the weekend to re-initialize affected machines, a process involving wiping and restoring systems to remove the malware. No additional infections were reported after May 14, indicating successful containment efforts.
The incident occurred amid a broader global cyberattack affecting over 200,000 computers across 150 countries, including high-profile victims such as Britain's National Health Service, Nissan Motor Manufacturing UK, and FedEx. Despite the infection, university spokeswoman Genevieve O'Meara stated the outbreak did not paralyze academic or administrative operations, with day-to-day activities continuing uninterrupted. The university's infection rate represented 1.4% of its centrally managed devices, a lower impact compared to organizations like Taiwan Semiconductor Manufacturing Company, which saw 10,000 machines compromised in a later 2018 variant. Microsoft had issued patches for the EternalBlue vulnerability in March 2017, but many organizations, including the University of Montreal, had not fully implemented these updates prior to the attack. The university's response aligned with global mitigation efforts, including the activation of a kill switch discovered by cybersecurity researcher Marcus Hutchins on May 12, which slowed the worm's propagation. No evidence suggested the university paid ransoms or experienced permanent data loss. The incident highlighted systemic risks posed by unpatched legacy systems and the cascading effects of weaponized exploits entering the public domain.