Held for Ransom: Why colleges must be proactive to prevent cyberattacks
This is the first in a series of articles on ransomware attacks, cybersecurity and the impacts on higher education.
Since the start of the fall semester, at least two institutions of higher education in the United States have been hit by separate ransomware attacks—Howard University and Washington Adventist University. Both communities are still working to recover as administrators, students and faculty have faced disruptions to communications, data and coursework.
Although colleges and universities have not been the main targets of cyberattacks since the beginning of the COVID-19 pandemic—school districts and businesses have been victimized far more often—they are on the rise and increasingly valued by hackers worldwide. That’s not necessarily because of the extreme payouts they might receive, but because of the breadth of information institutions possess in their portfolios.
“The golden item that a lot of people want is American research,” says Tony Coulson, director of the Cybersecurity Center at the California State University at Santa Barbara. “There’s a reason why countries around the world send their students here. American research is preeminent. That makes higher ed a very attractive target. If you can get your hands on the latest intellectual property—if you could steal tomorrow—you’ve got an advantage. The ones that are really in it for profit want to lock up research. As a faculty member, if somebody locked up your research, and you’re an expert in your field—25 years, and you don’t have another life—it’s very valuable to you.”
Swipe the latest innovations or potential inventions, or more sinisterly, healthcare studies involving the latest coronavirus developments, and that work becomes an easy sell to others in black markets. Colleges and universities are especially vulnerable, given their openness, their lean toward implementing new technology and one that came as a result of COVID—remote learning and the abundance of access possibilities.
“[Colleges] have a usually a much more open and permissive environment, which is useful and necessary for flow of ideas and education,” says Mike McNerney, Chief Operations Office at cyber insurance firm Resilience and former Cyber Policy Advisor in the federal Office of the Secretary of Defense. “They don’t want to have a very controlled or clamped down environment. I used to work at the Pentagon, and it was the exact opposite. Malicious actors in cyberspace and other spaces take advantage of that. You’re talking about organizations, with some exceptions, that don’t have a lot of extra resources or extra overhead, especially if you’re looking at smaller schools or state schools. They may be having budgetary constraints. They don’t necessarily have always the resources dedicated to these kinds of actions.”
The result of those holes can be financial blackmail as hackers hold research, student and faculty information, or other data hostage. According to cybersecurity company Blue Voyant, the average ransomware attack costs institutions on average nearly $450,000. For some that cannot fully recover data or need extra manpower to handle the work needed over years to get back to near normal operations, it can be as steep as $2 million because of public relations costs, forensics investigations and legal assistance.
Endpoint protection company Emsisoft noted in The State of Ransomware in the US: Report and Statistics 2020 that 26 colleges and universities were hit by attacks last year. One of those, the University of California at San Francisco, paid out roughly $1.4 million to hackers, while the University of Utah gave up $500,000. Though the Federal Bureau of Investigation advises institutions and companies not to pay, when sensitive information is one the line or data might be lost forever, some feel they have no choice. And there is often no standard amount bad actors want when they settle.
“The price can vary enormously,” says Brett Callow, threat analyst at Emsisoft, which makes antivirus products to try to prevent ransomware attacks from occurring. “It’s customized for each target based on how much they believe they can get.”
If colleges are aware of the problem, why do attacks keep happening?
“Security is hard,” Callow says. “Organizations make mistakes, and the attackers take advantage of those mistakes. Most ransomware attacks succeed because of basic security failing: passwords being compromised, an internet server not being patched as promptly as it should be. I’m not leveling any criticism at the organizations. It’s hard to get everything right all the time, and hackers only need them to get it wrong once.”
How the attacks happen
What they continually get wrong are the basics, according to BlueVoyant—66% lack basic email security configurations, while 40% have open database ports that hackers can seize on.
Once in, they root around to steal information before they go in for the kill.
“Ransomware is really not very interesting. The ransomware itself is just something that encrypts files,” Callow says. “What’s more interesting is the techniques attackers use. One of the main ways they gain access to networks is through malicious emails. It’s a common misconception that you open the attachments in an email and all your files suddenly start being encrypted. What actually happens is when you open that attachment, you basically install remote access software which enables attackers to gain access to the network. They will move laterally throughout it. They will steal the data. They will elevate their own privileges. Eventually, when they are good and ready, they will deploy the ransomware.”
And then it’s game on. The attacks will shut down networks and thieves will then make contact with officials, often asking for large sums of money. Victims might decide not to pay, but even if they have backups of all data, hackers can still do harm to the institutions and their communities.
“If the organization doesn’t pay, they’ve still got that problem with what to do with the stolen data, which the attackers will release online unless payment is made,” Callow says. “Schools do hold very sensitive information. You’ve obviously got the financial stuff relating to teacher salaries and so forth. If things like allegations of sexual assaults leak online, which has happened, there’s absolutely nothing you can do.”
It is a true Catch-22. Even if colleges decide that paying is the only option, that doesn’t mean information won’t leak out at some point or that the data they receive in return will reappear intact. Nearly half of those who get it back find that it is corrupted, according to Ransomware: The True Cost of Business from Cybereason.
“Organizations often underestimate how long it’s going to take to recover, if they ever do fully recover,” Callow says. “It doesn’t solve your problems. Paying does not get you out of the woods. When the attackers get in, they create backdoors that they can use to get in from a future point. So you’re really looking at rebuilding everything from scratch.”
Strategies to stop it
For institutions without cybersecurity insurance, Callow says, “The best option would be to call an incident response company. Ransomware events are extremely messy and complex to deal with. Generally speaking, it’s not something in-house that IT can handle.”
Of course, the colleges and universities that have done their homework and taken ransomware seriously typically have planned for that eventuality. They’ve either procured insurance, put in strong measures to prevent hackers from gaining access or just simply put a plan in motion to stop it.
“I’m a big fan of doing tabletop exercises of incidents—a practice cyber security incident—whether it’s ransomware or hacking,” says Jim Shreve, Partner and Chair of the Cybersecurity Group at Thompson Coburn LLP, which assists institutions with risk analysis and security breaches. “At all institutions, including higher education, that is being done by the information security people regularly, but it oftentimes doesn’t involve some of the senior executives that need to make the important decisions. If you’re talking about a ransomware attack, are you practicing with the person who makes the decision whether to pay or not? Are you involving those senior management people that are going to be tasked with making important decisions very quickly in an incident?”
Getting a wide foundation of stakeholders involved—and creating a plan for cyber crisis moments—is critical to staving off hackers, keeping data secure and preventing enormous sums from being paid out to thieves. Most colleges have strong measures in place to deter hacking, but the FBI reminds institutions of these five simple strategies that can make or break attacks from occurring and their severity:
- Ensure operating systems, software, and applications are current
- Anti-virus and anti-malware solutions should automatically update and run regular scans
- Back up data regularly and check that backups are in fact completed
- Secure backups. They should not be connected to computers and networks they are backing up
- Create a continuity plan before your institution is the victim of a ransomware attack
Multilayer authentication and strong passwords among users are highly recommended by cybersecurity experts. The FBI says any institution that believes it has been hacked or has been contacted by thieves should contact their local FBI field office or submit a tip online.
Coming Monday in UB: How risk assessments, quick responses can be essential in stopping cyberattacks.