A Hard Study in Ransomware: Education Being Held Hostage

There’s been a dramatic rise in ransomware attacks on educational institutional networks, whether K12 schools and districts or higher education colleges and universities. Academic and administrative services have been locked up, and cumulative ransomware costs running in the millions.

According to the mid-year update of the 2019 SonicWall Cyber Threat Report, despite overall declines in malware volume, ransomware continues to pay dividends for cybercriminals. All told, global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase.

Ransomware targeting schools, colleges more than a trend

Apart from the direct financial damage caused by ransomware attacks (for example, the Rockville Center School District paid $88,000 in ransom), the inability to access computer systems paralyses the academic institution. The cost of the damage only accelerates the longer the university is unable to send emails, record working hours or allocate classrooms and study resources, including university computers and internet access necessary for many learning activities.

Educational institutions that refuse to pay can be incapacitated for extended periods of time — like Walcott County, Connecticut, which suffered a ransomware attack three months ago and was locked out of its affected devices until early September 2019, when the ransom payment was finally approved by the county board. In other cases, districts chose to rebuild infected systems and were similarly delayed.

“It’s a deliberate and strategic shift from hospitals and other soft targets to K12 districts and schools, where security controls and technology resources aren’t as always as robust despite housing some of the most sensitive and private data,” SonicWall President and CEO Bill Conner wrote for Forbes. “It’s so common now that discussions about ransomware attacks have moved from the board room to the principal’s office and PTA meetings. But conversations need to turn into action.”

The infamous Emotet malware has also been striking schools, with attackers using spearphishing to infect systems with the malware trojan. As many services are now entirely computerized, this can even affect infrastructure like heating and cooling, cafeteria services and security systems. The K-12 Cyber Incidents map provides a graphic overview of just how widespread the problem is.

As noted by SonicWall technology partner Sentinel One, last September, just when teachers, parents and children across the nation were looking forward to the beginning of the school year, parents in New York’s Orange County received an unwelcome announcement. The superintendent of Monroe-Woodbury school district had been forced to inform them that the school would remain closed as a result of a cyberattack that had disrupted the district’s computer systems.

Monroe-Woodbury is just one of the many schools and educational institutions in the United States and throughout the world whose operations have been disrupted by cybercriminals. Earlier, in the summer, Rockville and Mineola school districts were targeted with Ryuk ransomware. In all, over 500 attacks against U.S. public schools have been reported in 2019 to date.

In addition, many U.S. universities and colleges have suffered from ransomware attacks, information leaks and email hacking in the past year. Universities and academic institutes are being targeted by more sophisticated attackers interested in stealing the intellectual property (IP) and research data that they produce.

Ransomware locked onto schools globally, too

The situation in other parts of the world is as bad. In Australia, the head of the local intelligence agency was recruited to inform universities about cyber threats and ways of prevention. This was one of the initiatives put in place after an extremely sophisticated threat actor compromised ANU and persisted within the university’s network for months at a time.

In the U.K. in April 2019, penetration testing conducted by JISC, the government agency that provides many computerized services to U.K. academic bodies, tested the defenses of over 50 British universities. The results were unflattering: the pen testers scored 100% success rate, gaining access to every single system they tested. Defense systems were bypassed in as little as an hour in some cases, with the ethical hackers easily able to gain access to information such as research data, financial systems as well as staff and student personal information.

Ransomware analysis: common threads

It is no coincidence that universities are among the most attacked. Higher education institutions manage substantial sums of money, store personal information for students and teachers and connect with many external bodies and providers and, of course, parents, who primarily communicate with the school via email. This means that the school has a very large attack surface.

“It is too easy to demand and receive ransom payment without the risks associated with traditional data exfiltration,” Conner said when more than 20 Texas state agencies were affected with ransomware. “Until organizations are serious about ransomware protection, these types of wide-reaching ransomware attacks will, unfortunately, continue. As we’ve witnessed past year, ransomware attacks are highly disruptive. Today’s distributed networks can be compromised in minutes. Everyday operations are then held for ransom at high costs.”

Coupled with enticing rewards is the fact that students make for easy victims of phishing scams, too. Students’ lack of experience combined with a tendency to use simple passwords across multiple services makes them prone to credential harvesting and password-spraying attacks. In one incident in September 2019, over 3,000 Kent State student emails were hacked in this way. In addition, the awareness of parents, teachers and faculty regarding cyber risks is often much lower in education than in other sectors.

Ransomware no longer infects a singular device but often multiple devices with the intent to infect the entire network. First made infamous with the WannaCry attack, ransomware authors now try to leverage vulnerabilities like SMB in Windows to spread to other drives. Not all computers are up to date and this leaves an opportunity to not only infect that device but to also infect others.

Some academic institutions are rich in data and poor in security, which makes them a prime target.  They also have student information, including grades, which are vital to their future endeavors, plus some jurisdictions must keep this data for up to 100 years.

Institutions that worked to digitize older records — and without proper backups in place — may be at risk of losing this data or having to go back and digitize them again. Educational organizations must continually keep everything backed up with those backups off the network whether it is on LTO tape or in the cloud.

Further exacerbating the security situation is that educational establishments typically have limited staff dedicated to security. Unlike banks, schools typically do not have dedicated information security personnel who are engaged in 24/7 protection.

‘You’ve got ransomware’

Most ransomware attacks come unsolicited in email. They come in attachments with subject lines such as:

  • Here is my resume
  • This is an unpaid invoice
  • Here is the invoice for your flight, package, etc. (in hopes people will be shocked into thinking their credit card info was stolen).

Malicious URLs are also used. They will look like real URLs but lead to other places on the dark web. Common subject lines are:

  • Your card has been charged, please review
  • Is this you in this video?
  • Your package has arrived

Ransomware protection: best practices

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) recommends the following precautions to protect users against the threat of ransomware:

  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
  • Never click on links or open attachments in unsolicited emails.
  • Backup data on a regular basis. Keep it on a separate device and store it offline.
  • Follow safe practices when browsing the Internet.

CISA also recommends that organizations employ the following best practices:

  • Restrict users’ permissions to install and run software applications and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on a network.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.

In addition, SonicWall suggests the following best practice steps:

Unfortunately, with differing approaches on responding to ransomware demand being driven by budget and resources, cybercriminals have found education to be a lucrative target for ransomware attacks. While these ransomware attacks are widespread, there are commonalities to consider. It is critical to be prepared by implementing known best practices and the latest ransomware countermeasures.