Higher Ed Faces a New Ransomware Reality
Despite sustained success in compromising key systems and holding data for ransom, attackers aren’t resting on their laurels. Instead, they’re adopting new tactics to help maximize payouts.
Some notable shifts in this new ransomware reality include:
- The rise of Ransomware as a Service (RaaS). Much like Software as a Service (SaaS), RaaS solutions allow would-be attackers to pay monthly subscription fees for access to the latest ransomware tools and technologies. Using commodity malware frameworks like Dridex, Emotet or Trickbot, they’re designed for ease of implementation. RaaS leverages common tools such as PsExec and PowerShell behind the lines, and significantly lowers the bar of entry for attackers.
- The advent of “double extortion.” “Double extortion” attacks that exfiltrate files before encrypting them are also on the rise. Attackers then threaten to publish or sell these files unless enterprises pay up. At least 16 different ransomware families are now using this technique. The most prolific of the pack — NetWalker — has been tied to the leaks of 113 victims worldwide.
- The pivot to “stay and play.” Traditional ransomware efforts are often “spray and pray,” where attackers use high-volume, high-speed attacks to grab whatever they can and get out. But Palo Alto Networks found a shift toward “stay and play” techniques, with hackers setting up shop on compromised networks, allowing them to conduct in-depth reconnaissance and target high-value data assets for maximum payout.
Cybercriminals are definitely bringing these diversified attack vectors to post-secondary settings. “Ransomware attacks in higher education may target students or researchers as a way to gain access to systems,” says Hunter Ely, U.S. SLED field strategist at Palo Alto Networks. “Threat actors often use Trojans or back doors, as well as more common attacks like spear phishing to steal credentials.”
“Once breached, we’ve found that ransomware groups often use enrollment and revenue data to justify their ransom demands,” he says.
How Higher Education Can Reduce Overall Risks
According to Ely, there are several basic steps that post-secondary schools can take to help reduce the risk of ransomware compromise. They include:
- Enforcing basic cyber hygiene. The first step in defending against advanced ransomware attacks is getting back to basics. Ely puts it simply: “IT teams should enforce basic cyber hygiene, such as having rules against weak or reused passwords and accounts.”
- Deploying segmented network services. Logical segmentation of networks naturally frustrates attackers who want to move both vertically and laterally in higher education IT environments. “University networks should be segmented to limit access to IT systems and domain controllers,” says Ely. Keep in mind that student and lab systems should also be isolated from critical servers. “All network data should be backed up and distributed, either on-premises for frequently used and critical files, or in the cloud for archived and nonessential data,” he says.
- Implementing effective IAM. According to Ely, “Research data should be secured and stored separately from the academic and business systems — with identity and access management (IAM) utilizing a zero-trust security model.” By giving students and staff access to only the services they need for their organizational roles — and only after robust authentication — post-secondary schools can reduce the risk of compromise.
- Improving system resiliency. Ely also points to the use of “ephemeral workspaces” that can be easily rebuilt if student systems are compromised or if sessions must be abruptly terminated. Combined with golden machine images that act as fail-safe restoration points, schools can significantly improve overall resiliency when ransomware attacks occur.
To that end, ransomware efforts are evolving — and higher education networks are increasingly at risk. While new threats such as double extortion, stay and play and RaaS pose major security challenges, universities and colleges can reduce risks by prioritizing robust cyber hygiene, leveraging easily rebuilt workspaces and deploying segmented, zero-trust networks.