Higher education institutions are prime targets for ransomware attacks. Universities and colleges handle large amounts of sensitive personal data, facilitate a campus-wide intranet, and manage research data. These factors combine to make targeting the higher education sector a potentially lucrative operation for threat actors. The more sensitive the data, the more valuable it becomes in the wrong hands.
This article looks at the state of ransomware in higher education. You’ll get the lowdown on relevant statistics, notable recent ransomware attacks, and some guidance for managing this threat.
Ransomware in Higher Education: The Statistics
The tenets of higher education, encompassing openness, trust, and information exchange, add to the ransomware risks in this sector. These tenets contrast with the necessary rules, controls, and best practices for securing networks and data.
Ransomware is malicious software that blocks access to networks, systems, and/or files in an attempt to extort a ransom payment from its victims. Typically, access to valuable resources is blocked through encryption methods with a message indicating a return of those resources upon payment of the ransom.
The statistics paint a telling picture of the higher education sector’s exposure to ransomware:
- Ransomware attacks against universities during 2020 increased by 100 percent compared to 2019.
- 41% of higher education cybersecurity incidents and breaches start with social engineering techniques.
- Education is the 6th most targeted sector for cyber crime out of 20 different sectors.
Five Recent Ransomware Attacks on Higher Education Institutions
Des Moines Area Community College (DMACC): June 2021
The most recent ransomware incident focuses on a community college in central Iowa. In early June 2021, an attack wreaked havoc on the DMACC IT network and led to the cancellation of all online courses followed by in-person classes the next day. The ramifications were such that online classes remained canceled for a full two weeks while the college attempted to restore its IT network.
It was interesting to see that the college’s decision-makers opted not to pay the ransom demanded by the group behind this attack. It is not exactly clear what ransomware group was behind the attack or what the demanded ransom was. Federal organizations don’t recommend paying ransoms because doing so can incentivize more attacks. Furthermore, paying up doesn’t necessarily result in getting full access back to compromised systems, files, or other resources.
Sierra College: May 2021
The scourge of ransomware struck a Northern Californian college at one of the worst times possible—during finals week. Like the previous incident, details on the type of ransomware or the perpetrators behind this attack also weren’t revealed. What is known is that valuable learning resources for students were taken offline and required workarounds to get access to them.
According to a statement in the immediate aftermath of the attack, the college was “working with law enforcement and third-party cybersecurity experts to investigate this incident, assess its impact, and bring our systems back online”. The college’s registration service wasn’t available as a consequence of the attack, which potentially affected prospective students. An update two weeks after the initial incident disclosure revealed the restoration of most IT services at Sierra College.
Multiple Universities: March 2021
Multiple high-profile universities became victims of a ransomware attack conducted by the Eastern European Clop gang in March 2021. Clop ransomware uses phishing emails with malicious attachments to get into networks, lateral movement to spread quickly, and evasive techniques to avoid detection by security solutions. Data exfiltration is also a feature of Clop; the ransom demand comes with a threat to disclose stolen data to the dark web if the payment isn’t made.
In this incident, universities such as the University of Colorado, the University of Miami, and the University of California had sensitive data stolen when Clop ransomware compromised the Accellion file transfer service. The stolen data included grades and other personal information. This incident highlighted the cyber risks that can come from third-party software vendors.
South and City College Birmingham (UK): March 2021
Across the Atlantic in England’s second city, Birmingham, a local college with eight campuses distributed throughout the city had to close all campuses following a major ransomware attack.
On-campus servers and workstations were impacted, which resulted in students having to return to online learning only a week after they resumed in-person classes after a national lockdown to curb Covid-19. An official college Tweet stated that the ransomware attack disabled many of the core IT systems at the college. It also appears that this was a double extortion attack because, according to quotes, “a volume of data has been extracted from our servers”.
University of California San Francisco (UCSF): June 2020
In one of the most high-profile recent ransomware attacks on the higher education sector, UCSF paid a $1.14 million ransom after a June 2020 attack. The Netwalker gang behind this attack uses a ransomware-as-a-service operation. A recent article estimated the NetWalker’s gang’s revenue since March 2020 at $25 million, which shows how profitable these attacks can be.
This incident gained wide media coverage after the UK’s BBC News gained access to live ransom negotiations on the dark web between the NetWalker gang and the university. Within the live chat thread, there was a threat to release stolen student records if the university didn’t increase its ransom offer. The university’s decision-makers felt they had no other than to pay the ransom because of the importance of the data that hackers got their hands on.
Managing The Ransomware Threat in Higher Education
Thankfully, many educational institutions recognize the pervasive threat of this ever-increasing form of cyber attack. Most colleges and universities have IT teams with cybersecurity knowledge. Here are some tips to manage the threat of ransomware:
- Use Backups: Having backups of important data and systems is always a useful strategy for minimizing the impact of ransomware attacks. A properly executed backup strategy provides the most comprehensive and effective way of getting compromised files and/or systems back. It’s worth noting that organizations across all sectors that pay ransoms to perpetrators rarely get all of their affected data or systems back.
- Segment the Campus Network: Ransomware and other forms of malware often proliferate through a network to inflict maximum damage. Good network segmentation splits a campus network into logical segments, which can isolate the harm from ransomware to one particular segment rather than across the whole network.
- Have an Incident Response Plan: Organizations that contain and minimize the damage from in-progress ransomware attacks are invariably those with a solid incident response plan in place. This plan establishes instructions for responding to and recovering from detected cybersecurity incidents. A solid incident response plan needs to clearly and logically identify key roles, actions, and responsibilities during a cybersecurity incident.
- Implement a Cybersecurity Framework: A cybersecurity framework provides a set of standards and guidelines for protecting against modern cybersecurity threats. Implementing these frameworks can prove to be an invaluable way to increase protection against ransomware and a whole host of other attack vectors. Cybersecurity frameworks are created by groups of cybersecurity experts. Example frameworks include the Nist Cybersecurity Framework and the CIS Controls.
- Combat Phishing Threats: In an information-sharing space like a college or university intranet, trust and openness are encouraged. Unfortunately, this trust is exploitable by hackers who commonly use phishing techniques to gain an initial foothold into a network. By spoofing emails, the perpetrators can get victims to click malicious links or download email attachments that install malware. Email security tools can filter out or flag phishing emails before they get the chance to deceive people. A modern solution equipped for sophisticated threats should ideally be a self-learning AI-driven solution that continuously improves its effectiveness over time as it scans, filters, and flags deceptive emails.
The principles behind higher education, the complexity of IT environments in this sector, and the sensitivity of the data all combine to create somewhat of a perfect storm for ransomware attacks to occur. Colleges and universities must remain vigilant and assume that the worst will happen. Preparation is key to minimizing the possible consequences of ransomware in higher education.
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.