Cyber Incident Victim: University of British Columbia
Date:
Oct 2020
Location:
Canada
Summary
A Canadian university was targeted in a ransomware attack delivered via a phishing email disguised as a COVID-19 survey. The malware encrypted files but contained a hardcoded decryption key, enabling recovery without ransom payment. Analysis revealed no transactions at the associated Bitcoin address, indicating attackers received no payments. The institution collaborated with cybersecurity researchers to analyze the attack, which leveraged malicious email attachments to deploy ransomware. Technical examination identified encryption methods and indicators of compromise, with protective measures already in place for some security solutions. The incident highlighted the use of pandemic-related lures to distribute ransomware targeting educational organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 19, 2020, the University of British Columbia experienced a ransomware attack initiated through a phishing campaign masquerading as a COVID-19 survey. Threat actors distributed malicious emails containing links to a fraudulent questionnaire designed to harvest credentials. Once recipients interacted with the link, the attackers deployed ransomware that encrypted files on compromised systems. Analysis of the malware revealed it used AES encryption with a hardcoded decryption key embedded within its code—the Swedish phrase "du_tar_mitt_hjart_mina_pengarna0" ("you take my heart my money"). This key enabled decryption of affected files without paying the ransom, as demonstrated by researchers using CyberChef to decrypt sample data. The ransomware operators provided a Bitcoin address (1LthWWSd82dKddmHwqhBv8XHiCYyUZqhmA) for ransom payments, but blockchain records indicated no transactions occurred at that address prior to analysis.
The university collaborated with cybersecurity researchers at Malwarebytes to investigate the incident, sharing technical details that facilitated comprehensive analysis of the attack’s mechanics and scope. This cooperation confirmed the ransomware’s phishing delivery method, its encryption process, and the absence of successful extortion. Malwarebytes noted its Anti-Exploit layer provided signature-less protection to its customers against this threat. The incident underscored the continued exploitation of pandemic-related themes by threat actors and demonstrated the critical role of shared forensic data in neutralizing ransomware impacts without capitulating to financial demands.