The Increasing Threat of Ransomware in Higher Education

During the pandemic, several major cyberattacks have unfolded, resulting in severe impacts to organizations and individuals. One of the most talked-about cyberattacks in 2020 was the SolarWinds breach, in which hackers gained access to nearly 18,000 clients of SolarWinds. The victims of the attack include Fortune 500 companies and multiple US government agencies.

In May 2021, Colonial Pipeline Company, a major refined-oil products supplier responsible for 45 percent of the East Coast's fuel supply, was hit in the largest-known hack to date on US energy infrastructure. The attack caused Colonial Pipeline to shut down its entire system, leading to panic and a disruption in gasoline supply across the East Coast of the United States.^Footnote1 In order to unlock encrypted files and get the pipeline back up and running, Colonial Pipeline paid hackers $4.4 million in Bitcoin for a decryption key.

Recently, the number of ransomware attacks similar to the attack on Colonial Pipeline has increased dramatically. The number of ransomware attacks more than doubled as cybercrime operations increased throughout the coronavirus pandemic. These attacks grew not only in frequency but also in sophistication and ransom demand. In 2018, the average ransom demanded from a victim was $8,000. In 2020, the average demand grew to $170,000, with high-end demands exceeding $1 million.^Footnote2

Ransomware attacks are not only affecting businesses; colleges and universities are also prime targets for attacks. Surprisingly, education is the most affected sector for malware attacks when compared to other industries like business and professional services, retail and consumer goods, and high tech. Within the last thirty days, educational organizations have been the target of more than 6.1 million malware attacks, while the second-most affected industry (business and professional services) has only seen 900,000 attacks.^Footnote3 An analysis of ransomware campaigns within higher education found that ransomware attacks against colleges and universities have more than doubled since the onset of the coronavirus pandemic.^Footnote4

The FBI's Cyber Division recently warned that ransomware poses a huge risk for higher education, as cybercriminals using this type of attack are now focusing heavily on colleges and universities.^Footnote5 The FBI became aware of a new type of ransomware attack—using a new type of malware known as PYSA—where unidentified cyber actors are specifically targeting higher education, K–12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting the victims' systems to use as leverage in eliciting ransom payments.

What Is Ransomware?

Ransomware is a malicious form of malware, where hackers deploy a malicious computer code to block an organization's access to its own computer network to extort a ransom. The types and complexity of ransomware attacks have increased rapidly over time, and today many ransomware attacks see cybercriminals gaining access to an organization's data and then holding it hostage with military-grade encryption.

There are three main types of ransomware (listed below in order of increasing severity and complexity):

• Scareware: This type of ransomware typically includes rogue security software and tech-support scams. In this type of ransomware, the victim may receive a pop-up message claiming that malware was discovered on their system, and the only way to eradicate the malware is to pay for the security software to remove it. In most cases, this type of attack poses little actual risk to files and data.
• Screen lockers: When a screen locker attack is deployed, the victim is locked out of their computer entirely. Upon startup, a full-size window will appear demanding ransom payment and prohibiting the victim from using their computer.
• Encrypting ransomware: This is the most complex and devastating type of ransomware. Cybercriminals will gain access to the victim's system, seize their files, encrypt them, and then demand payment for decrypting and returning the files.

When faced with an encryption ransomware attack, the victim is left with only a few choices: they can either pay a ransom to the criminals (which does not guarantee the criminals will return the data), attempt to break the encryption on their data, or restore their data and systems from backups.

In a ransomware attack, hackers typically search out an organization's most valuable data. High-profile ransomware attacks sometimes target organizations that are conducting research where the data is highly confidential. In other cases, the data the attackers might be after could be confidential data about a university's students, including social security numbers, addresses, and birthdates. Another common target for ransomware attacks is any type of data or system that could make it impossible for an organization to function. Because of the data they possess, higher education institutions are key targets for ransomware attacks.

However, even smaller universities and colleges, as well as those without an emphasis on research, are prime targets for this type of cyberattack. Regardless of whether an institution considers its data to be valuable, chances are that cybercriminals do. Higher education institutions inherently gather and store large amounts of confidential student data and therefore must protect themselves against ransomware attacks.

Even more concerning than traditional malware-based ransomware attacks are human-operated ransomware attacks, which pose a huge threat to organizations of all types. An advanced type of ransomware, human-operated ransomware attacks are becoming more frequent and costly. In a human-operated attack, a cybercriminal is actually controlling the attack in real-time, and after gaining access to a victim's system, the criminal quickly scans through files and locations—while also preventing any antivirus alerts—to pinpoint and steal the most valuable data.

In these types of attacks, the attacker will often exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network. Existing antivirus solutions are often not a strong enough defense when an organization is faced with this type of hands-on-keyboard ransomware attack.

The Impact of Ransomware Attacks

The impact of a ransomware attack can be devastating. For example, a West Coast university was the victim of a ransomware attack involving data within their school of medicine's research department. After the university realized hackers had encrypted valuable research data, the school chose to pay the hackers $1.14 million in cryptocurrency in hopes that the hackers would provide a decryption key. Fortunately, the school reported that it received a key to restore access to the files and copies of the stolen documents. The FBI recommends against ever paying a ransom to ransomware attackers, as there is no guarantee that the data will be recovered, and paying the ransom encourages the hackers to repeat the attack. The FBI encourages victims of ransomware attacks to contact their local FBI field office to request assistance.

Most types of cyberattacks are happening globally. In England, a top university recently suffered a ransomware attack that forced the school to shut down nearly all of its IT systems. The school was forced to delay the start of the next term while IT teams scrambled to investigate the attack and determine the effect on their systems. The impact of ransomware is not always just a monetary loss, as the disruption to a school's term start will affect many other programs and schedules down the road.

Developing a Strategy to Help Prepare for Ransomware Attacks

Defending against ransomware attacks requires a tiered approach to security with a Zero Trust model at the heart of the methodology. So, how does Zero Trust work? Zero Trust follows three guiding principles: verify explicitly, use least privileged access (LPA), and assume breach.

• Verify explicitly: Zero Trust closes gaps in multi-factor authentication (MFA) coverage by requiring explicit verification across the network. Instead of assuming trust based on weak assurances like network locations, Zero Trust uses all available data—identity, endpoint, and network data—to authenticate all access requests, no matter where they came from or what they're accessing.
• Use least privileged access (LPA): Zero Trust makes it harder for attackers to negatively impact key systems and data by limiting users' access to the resources, devices, and environments they need. Without widespread privileges and access, attackers have fewer opportunities to move laterally within the network beyond an initial breach.
• Assume breach: As a final fail-safe, Zero Trust operates under the assumption that a breach has already happened or soon will. This means deploying redundant security mechanisms, collecting system telemetry, using that telemetry to detect anomalies, and—wherever possible—automating insight generation to enable near-real-time prevention, response, and remediation.

IT professionals play an important role in security and are the foundation of an approach to preventing ransomware. Many observed ransomware attacks leverage malware and tools that are easily detected by antivirus security software. Observed affected servers also often lack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords.

Oftentimes, these protections are not deployed because there is a fear that security controls will disrupt operations or impact performance. IT professionals can help determine the true impact of these settings and collaborate with security teams on mitigations. Attackers often prey on settings and configurations that many IT admins manage and control. Given the key role they play, IT professionals should be part of security teams to defend against ransomware attacks.

When considering complex, human-operated ransomware attacks, traditional solutions like MFA and antivirus are a good start but will not completely defend an organization against a knowledgeable cyberattacker. The only way to defend against these types of events is a twofold approach involving top-of-the-line endpoint detection and response paired with a user entity behavior analytics (EUBA) solution. This is the only way to pinpoint if there is an attacker on the inside of a system who has managed to evade or silence antivirus alerts.

Notes

1. Will Englund and Ellen Nakashima, "Panic Buying Strikes Southeastern United States as Shuttered Pipeline Resumes Operations," Washington Post, May 12, 2021. Jump back to footnote 1 in the text.↩
2. John Leyden, "Ransomware Attacks More Than Doubled Last Year as Cybercrime Operations Scale Up during Coronavirus Pandemic," The Daily Swig (website), March 8, 2021. Jump back to footnote 2 in the text.↩
3. Microsoft Security Intelligence, Global Threat Activity Map by Industry, Microsoft (website), accessed June 4, 2021. Jump back to footnote 3 in the text.↩
4. Cybersecurity in Higher Education, research report, (New York, NY: BlueVoyant, February 2021). Jump back to footnote 4 in the text.↩
5. Federal Bureau of Investigation Cyber Division, Increase in PYSA Ransomware Targeting Education Institutions, FBI FLASH, Alert Number CP-000142-MW, March 16, 2021. Jump back to footnote 5 in the text.↩

---

Steve Scholz is Principal Technical Specialist for Security, Compliance and Identity, US Education, at Microsoft.

Bill Hagen is a Senior Director of Security addressing industry, partner, and customer requirements at Microsoft. 

Corey Lee is Senior Consultant and Zero Trust Architect at Microsoft.