March 20, 2021

Targeting colleges and other educational institutions proving to be ‘good business’ for cybercriminals

A spate of recent cyberattacks on colleges, universities, seminaries and K-12 schools prompted a warning…

A spate of recent cyberattacks on colleges, universities, seminaries and K-12 schools prompted a warning from the FBI’s Cyber Division this week.

The advisory notice, published Tuesday, warned that criminals using malicious software called PYSA ransomware are increasingly targeting education institutions and attempting to extort them.

The FBI became aware of PYSA ransomware in March 2020 but has not identified the criminals behind the attacks.

Using phishing emails and stolen credentials to access IT networks, criminals leveraging the ransomware are stealing sensitive information and blocking access to essential data and systems through encryption. They are then demanding payment in exchange for returning access to the targeted institution.

In a double-pronged extortion tactic that has become increasingly common in recent years, hackers are not only demanding payment to restore access to encrypted information. They are also taking sensitive data and threatening to sell or publish it on the dark web if their demands are not met.

PYSA is just one type of ransomware that has been used in recent attacks against K-12 schools and colleges, said Brett Callow, threat analyst at cybersecurity solutions company Emsisoft. He said there are several groups using ransomware to target education institutions — a market that is regarded as highly lucrative.  

“Criminal organizations operate like regular businesses in that they will keep on doing whatever they’ve found to work,” Callow said. “The education sector has proved to be particularly profitable, so they will keep targeting them over and over again.” 

Ransom demands are rising quickly, said Callow. In 2020, the average ransomware demand hit $312,493 according to a report by Unit 42, a division of cybersecurity company Palo Alto Networks. In 2019, the average ransomware demand was $115,123. 

The University of California, San Francisco, admitted in July that it paid $1.14 million to hackers who encrypted and threatened to publish sensitive information stolen from the institution’s School of Medicine. UCSF, along with institutions such as Michigan State University and Columbia College Chicago, were targeted using a type of ransomware called NetWalker. The University of Utah, which paid a ransom of $457,000 in August 2020, is also believed to be a NetWalker victim. 

Ransomware attacks on colleges doubled between 2019 and 2020, according to research by cybersecurity company BlueVoyant. NetWalker, Clop, Ryuk and DoppelPaymer were among the most prevalent types of ransomware used.

There were at least 26 ransomware attacks involving colleges and universities in 2020, according to an analysis by Emsisoft. There were also 58 attacks involving school districts. Since school districts encompass multiple institutions, Emsisoft estimates a total of 1,681 schools, colleges and universities were impacted. The number of organizations that had data exposed as a result of ransomware attacks on vendors and other third-parties is unknown. 

Data breaches at education companies are “contributing to a growing body of stolen credentials, which leads to increased, aggressive credential stuffing attacks,” said the BlueVoyant report. In the past two years, there were breaches at vendors such as Blackbaud and Chegg.

In the recent FBI advisory, security professionals and network administrators at K-12 and higher education institutions were encouraged to implement multifactor authentication, regularly patch software and systems, encourage users not to use public Wi-Fi networks, and train employees to recognize phishing scams. The document also included technical characteristics of a PYSA ransomware attack to inform surveillance efforts at the institutional level.  

“The FBI does not encourage paying ransoms,” the advisory said. “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

Universities and colleges are particularly vulnerable to cyberextortion, said Gilman Louie, CEO of LookingGlass, a cybersecurity company.

“They’re juicy targets because they have student data, they have research information and they have critical operations that need to operate on a very strict timeline,” Louie said. “They can be exploited on many fronts.”

Though colleges with comprehensive cyber insurance policies are undoubtedly attractive targets, public K-12 schools are also “sitting ducks” for ransomware attacks, said Chester Wisniewski, principal research scientist at cybersecurity company Sophos. 

“Most don’t have a ransomware incident response plan and are entreated to do ‘everything possible’ to protect the private information of students, teachers and staff members,” said Wisniewski. “Regrettably, this leads to ransoms being paid which proves the crooks chose the right mark.” 

Hackers are becoming very good at identifying which data are most precious to institutions and milking them for as much money as possible, Callow said.

Criminals spend an average of 56 days snooping around compromised networks looking for the most valuable information they can find, according to Emsisoft research. Sometimes the criminals might find a compromising picture or information that can be used to blackmail individuals, said Callow. 

In ransomware attacks on colleges, there is the troubling potential for hackers to get their hands on very sensitive information such as medical histories or sexual assault complaints and use this against students, Callow said.

In recent weeks, several colleges have experienced network outages as the result of cyberattacks. Classes at institutions including the University of Texas at El Paso and Central Piedmont Community College were disrupted. Very little has been shared about the nature of these attacks, so it is not yet clear whether these attacks involved ransomware, nor whether they were connected.

Millersville University, which was also the victim of a cyberattack earlier this month, recently found some of its data had been shared on the dark web by hackers. The contents of that zip file, a sample of which was sent to Inside Higher Ed by a source who asked to remain anonymous, were not encrypted. They included documents such as hiring contracts and W-4 tax certificates for student staff.

A spokeswoman for Millersville University said that the “very few” individuals affected had been notified. She added that the university had not received any ransom requests.

But that could change, Callow said. It is not unusual for criminals to share a small selection of the data they stole just to prove they have valuable information. Then they can demand payment in exchange for not releasing the rest.

The Millersville University cyberattack was a case of unfortunate timing, the university’s president, Daniel Wubah, said in an email to campus. The university was in the process of implementing multifactor authentication and moving many “mission-critical” resources to the cloud when the cyberattack occurred. 

“The initiatives that begun are being incorporated into the network restoration process and other enhanced security protocols that meet or exceed industry standards and best practices,” Wubah said.

What can colleges, their employees and students do to minimize the threat?

Colleges can use encryption to make it difficult for hackers to decipher any information they gain access to, said Louie. They can also ensure that access to critical operations such as payrolls and student records is tightly controlled. 

These steps are not fail-safes. Humans make mistakes and encryption techniques can quickly become outdated and easy to crack. But they are useful deterrents, said Louie. 

“It’s like in the old days when people put a club on their steering wheel so people couldn’t steal their car,” said Louie. “Criminals know that all you have to do is cut the steering wheel and pull off the club. But maybe it’s just easier to break into the next car that doesn’t have one.” 

While the threat of well-resourced foreign agencies trying to get their hands on research information and intellectual property is very real, many cyberattacks are carried out by much less sophisticated and less well-financed actors, Louie said.

As colleges face an increasing threat, security experts agree that extra care needs to be taken to button down everything. Multifactor authentication, keeping software updated and training employees to spot phishing attempts are important, but colleges and universities also need more funding to support information sharing on cyberthreats, Louie said.

“We need to do more to support our higher education institutions, because they are prime targets,” Louie said. “The threat is increasing, not decreasing.”