Ransomware in Higher Education
Did you know that every 10 seconds in 2020 a new organization became a victim of ransomware?
According to Verizon’s 2020 Data Breach Investigations Report, ransomware accounted for approximately 80% of incidents reported in the educational services sector in 2019. This was a 48% increase from the previous year. Unfortunately, due to the COVID-19 pandemic and the shift to remote environments, cybercrime has increased even more, with recent reports showing that successful ransomware attacks on the education sector increased by a shocking 388% in the third quarter of 2020.
Colleges and universities host a significant amount of sensitive data, including student information, protected health information, financial information, and research data. This data, as well as the need to support such a diverse group of users (students, faculty, and staff) and systems makes higher education a prime target for ransomware attacks.
In June 2020, the University of California San Francisco (UCSF) paid $1.14 million to recover School of Medicine data from attackers. Another attack demanding $4 million shut down many of Monroe College’s systems, leaving students, staff, and faculty unable to access the college’s learning management system, email, and website. In August 2020, the University of Utah paid almost half a million dollars to recover data following a ransomware attack. And just recently, in February 2021, Central Piedmont Community College was compromised by a ransomware attack that disabled systems include the phones, email, productivity software, and learning management platforms. The college was forced to cancel classes and all scheduled events.
During ransomware attacks, hackers are not only encrypting organizational data and holding networks hostage, but 50% of ransomware cases are now also exfiltrating the data and threatening to publish the information on the dark web if organizations don’t pay the requested ransom. While a company could have previously rested more easily knowing their data was backed up, with data exfiltration growing at such an alarming pace, and the significant damage that can occur if stolen data is released publicly, it is no longer an easy decision. Cybercriminals are raising the stakes and requesting two separate ransoms: one for the decryption key, and one for not publishing the sensitive data online. Current ransom demands average around five million dollars but have been reported at over $40 million.
Cybercriminals know that colleges and universities value their student information, which unfortunately means the ransoms may continue to rise. Many organizations have bargained with hackers to protect their information, but recently there have been more examples of cybercriminals who aren’t holding up their end of the deal and are posting data even after receiving the requested ransom payments. Because there is no guarantee the data will be returned or kept private, organizations may not want to pay for exfiltrated data. The FBI also strongly recommends against paying ransoms because it encourages criminals to target more victims and offers an incentive for others to formulate similar attacks.
Attackers are also becoming more strategic. Whereas previously they may have launched the ransomware as soon as they were able gain entry into an organization through phishing or other means, they are instead now taking their time and using that initial access to move laterally throughout the network, gain access to escalated privileges, locate sensitive or critical data, and then deploying ransomware to a larger segment of the network.
To review the steps your organization can take to protect your systems and information from a ransomware attack, check out our recent blog post, Prepare to be Ransomed.
Some additional guidance from the CampusGuard Offensive Security Services Team:
[Sullivan]: As seen in the recent SolarWinds and Microsoft Exchange breaches, ransomware can come from any number of vectors and affect mission critical systems that we trust to be secure because of the reputation of the vendor. This underscores the need to not only keep current on security patches, but even more so, implementing and auditing system and network logs for suspicious activity. You may not be able to stop an attacker from gaining that initial foothold, but the better you become at baselining normal activity and detecting anomalies within your environment, the quicker you will be able to react and prevent ransomware from doing major institutional damage to your organization.