Ransomware still threatens educational institutions

Acronis Cyber Protect
formerly Acronis Cyber Backup

Ransomware, widely considered to be the fastest-growing malware hazard of the 21st century, continues to threaten the uptime, budgets and brand reputation of the education sector.

by James R. Slaby

Famous ransomware victims like the University College London, University of Calgary, and Los Angeles Valley College only partially reflect the magnitude of the threat, which is global in scope and continues to expand at a frightening pace. Education officials need to deploy a battery of technologies, procedures and policies to prevent ransomware attacks from bringing down critical systems across their institutions.

ransomware in education industry

How ransomware attacks learning institutions

Ransomware is a type of malicious software that infects computer servers, desktops, laptops, tablets and smartphones, infiltrating through a variety of mechanisms and often spreading laterally across a campus from one device to another. Once it infects a system, the virus quietly encrypts every data file it finds, then displays a ransom note to the user. The extortion message starts by demanding an online payment of anywhere from hundreds to thousands of dollars (generally in some untraceable cryptocurrency like Bitcoin) in return for the decryption keys needed to restore the user’s locked files. The demand often includes a series of deadlines for payment: each missed deadline leads to a higher ransom demand and perhaps some destroyed files. If the victim doesn’t pay up, the attacker discards the decryption keys, making the data permanently inaccessible.

The education sector presents a tempting target to ransomware gangsters for several reasons. One, students often engage in risky online behaviors that expose them to ransomware attacks, such as treating email attachments without appropriate wariness, and visiting websites trafficking in pirated entertainment. Two, the highly open and interconnected nature of campuses opens up multiple points of malware infiltration: find a weak link, and ransomware can spread quickly from student to faculty to staff PCs and servers. Three, cost pressures have made it difficult for some institutions to fund IT security investments; the education sector generally lags well behind industries like finance, retail, healthcare, energy and government in resilience of its tech infrastructure. This combination of factors has made education the most popular target for ransomware attacks, according to tech security firm BitSight.

Hardly a week goes by without news of another successful ransomware attack on an educational institution. Here are just a few:

· University College London was a famous victim of the WannaCry ransomware epidemic that swept through 100,000 systems worldwide over a single weekend in 2017, losing access to its shared data repositories and student management system.

· Los Angeles Valley College paid over $28,000 to online criminals in the wake of a ransomware attack that brought down its websites, email servers and voicemail systems.

· The University of Calgary was paralyzed for over a week by a ransomware attack and eventually paid a $20,000 ransom to restore over 100 of its systems.

· Over 3200 PCs were laid low by a ransomware attack on Carleton University, which eventually paid $35,000 to restore them.

The costs of ransomware are high and growing fast

The impact and costs of ransomware attacks have been felt well beyond the education sector. For example, tech vendor Nuance recently reported that a ransomware attack it suffered in the fall of 2017 cost it $68M in refunds to customers for service disruptions and another $24M in cleanup costs.  Ransomware afflicted the United Kingdom’s National Health Service, bringing many of its facilities to a standstill for several days, resulting in the cancellation of thousands of operations and appointments and the frantic relocation of emergency patients from stricken emergency centers.

These examples are just some of the higher-profile ones from recent months. Various researchers have shown that ransomware has affected a total of 55% of organizations. Just the amount of ransom that criminals are successfully collecting from victims shows an alarming trend: total ransoms surged from $325M in 2015 to $5B in 2017, and are projected to reach $11.5B by 2019. But as examples like Nuance show, the total damage of ransomware attacks -- including the costs of operations interruption, attack recovery and forensics, damage to brand equity, and compliance violation fines -- are far greater. For example, the global costs of the WannaCry epidemic are estimated to total a whopping $8B.

How ransomware got to be a malware epidemic

The reasons for the rapid growth of this particular category of malware are mostly attributable to its evolution from a one-time cottage industry to a modern, criminal version of the software-as-a-service business. Ransomware gangs copied the model of tech vendors like Salesforce.com, continually and rapidly developing and improving their product and relying on a network of distributors to get it onto as many machines as possible. In the case of ransomware, the distributors are lower-level, unskilled criminals that use a variety of techniques to attack victims, including phishing emails with infected web links or attachments, and fake websites that invisibly download malware to users that visit them. Exploiting operating system vulnerabilities that are not widely known (so-called zero-day exploits) and thus likely to be unpatched are another popular technique, one used in both the WannaCry and NotPetya ransomware outbreaks.

Under this so-called ransomware-as-a-service model, criminal software engineers are constantly turning out new variants of ransomware to take advantage of various vulnerabilities in operating systems, applications and user behaviors, staying one step ahead of IT and security staffers and the tech vendors they rely on for defensive measures. In parallel, these ransomware gangs have also developed sophisticated distribution, monitoring, notification and payment infrastructures which they make available to their “distributors” for free. All a would-be criminals needs to do to get into the ransomware distribution racket is to download some very simple-to-use software tools and start spreading the malware around. The developers and the distributors then split the profits of victims who pay the ransom.

How educators can fight back against ransomware

In the face of this rapidly-growing threat, educational institutions can take some concrete steps to protect their systems from the operational disruptions and high costs of successful ransomware attacks. Step one is to start educating students, faculty and staff on the techniques that ransomware distributors use, teaching them to be wary of the email links they click on, websites they visit, and attachments they open.

Good network and security hygiene measures remain important, like segmenting networks to make it harder for ransomware to spread from system to system, keeping endpoint anti-malware software up-to-date, and patching known vulnerabilities in operating systems and applications as quickly as possible.

Finally, given the high success rate of ransomware attacks, it is imperative to institute a rigorous backup regimen and keep multiple copies of critical data both locally, off-campus, and in the cloud.  Routine, frequent backup remains the most foolproof defense against ransomware: if your systems are compromised, you can simply identify the onset of the attack and restore your systems from clean backups created before the incursion.

Law enforcement and security experts agree that paying the ransom is a very poor defense: over half of ransomware victims who pay do not successfully recover their files, either because the extortionists fail to deliver the promised keys, or have implemented the encryption/decryption algorithms so poorly that the keys don’t work.

Final thoughts and further reading

To avoid becoming victims of the next widespread ransomware attack, educational institutions will have to deploy the basic measures outlined above, and consider deploying leading-edge technologies for ransomware defense like Acronis Active Protection, a free extension to Acronis Cyber Backup that uses machine learning to identify ransomware attacks in progress, instantly terminate them, and automatically restore any damaged files.

For case studies of organizations that have used Acronis Active Protection to effectively protect themselves against ransomware attacks, see these stories on auto dealership Ready Honda, electronics manufacturer Johnson Electric, and aluminum refining giant Hydro Alunorte.

For details on how Active Protection works, see: https://www.acronis.com/en-us/resource-center/resource/276/

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.