Ransomware’s New Frontier: How Universities Can Defend Against This Growing Threat

A Window Into Your Data Landscape

As institutions become more attractive targets, network administrators require tools purpose-built for the cyberthreats they now face. An important first step in improving security posture is knowing what data is on the network. The sprawling and complex architecture of most university networks can make this a challenge.

Administrators often lack clear visibility into what data they have and whether it is protected. One way to achieve better visibility is with the NetApp Console, which provides a centralized management overview of an institution’s hybrid cloud assets. This console allows colleges to implement a variety of security-focused data services, including NetApp’s Ransomware Resilience.

“This service scans your environment and discovers all of your workloads,” explains Trudewind. “Once Ransomware Resilience discovers them, it can show you if they're protected by all of our ransomware protection capabilities, including AI ransomware detection and immutable, indelible backups.”

Immutable (unchangeable) and indelible (undeletable) backups — and especially write-once, read-many configurations — serve as a critical hedge against ransomware. With a few clicks, network administrators can quickly extend all of NetApp’s ransomware protections, including immutable and indelible backups, to any unprotected workloads on the network.

DIG DEEPER: See proactive ransomware recovery strategies and defense tactics.

Defensive Measures Following a Breach

Should an attacker breach the university’s network defenses, Ransomware Resilience includes data breach detection that will alert the administrator to data that’s been moved offsite by the attacker as well as data that’s been locked out through ransomware encryption. NetApp has added a feature to specifically address the growing data exfiltration threat of more recent ransomware attacks.

“Administrators can now detect when someone's trying to take data offsite, and they are able to block that user account,” says Trudewind. “So, if an attacker uses a stolen user account to send data offsite through a data breach or encrypt data, we can actually block the user account and stop that from occurring.”

Click the banner below to learn what it takes to build a cyber resilient higher education environment.

NetApp has an additional detection feature within the NetApp Console called Autonomous Ransomware Protection, according to Trudewind. ARP relies on a continuously updated AI engine trained to identify the signatures of all known ransomware software used by attackers. If a ransomware signature is detected, the NetApp Console immediately sends an alert identifying its presence and location in the network.

“It also takes an automatic snapshot backup copy to give you a close recovery point,” says Trudewind. “Maybe you didn’t configure backups on that system for whatever reason, or your backups have a long interval period. This guarantees a close recovery point.”

EXPLORE: See the must-haves for a modern, collaborative response plan.

In situations where ransomware has successfully been deployed, Ransomware Resilience provides an isolated recovery environment. This feature provides a place for the clean restoration of your workloads without the threat of reinfection by the ransomware.

“A lot of times, universities will start recovering their backups after a ransomware attack, and they’ll notice that the data immediately gets reinfected and then re-encrypted by the ransomware,” says Trudewind. “By restoring the data to an isolated recovery environment, you can see your data while you’re still trying to figure out how to stop the ransomware. This provides an opportunity to bring in a few clean systems to access that critical data until you get the main site cleaned up.”

Safeguarding Against Insider Threats

A multilayered approach to security also must take into account the often-overlooked threat of insider attacks. These attacks, whether initiated by a disgruntled employee or someone with access to university credentials, take advantage of the trust that is placed in the multifactor authentication normally used to secure access. If MFA is breached by an attacker, they can gain wide-ranging access to university data and resources.

LEARN MORE: Shore up professional development for your university’s cybersecurity team.

The NetApp storage system addresses this threat through multi-admin verification. MAV can be set up to require verification from other administrators before a particularly questionable action, such as deleting data or replicating data to an offsite location, can occur.

“It can require another administrator to approve that kind of action first,” says Trudewind. “So, you can't set up a new replication destination without that signoff from another admin.”

That could require approval from even two or three admins, depending on how you set it up, he said.

“This is also a helpful feature to avoid making mistakes,” he said “Maybe you start to delete a volume of data that you thought was QA; turns out it was production. You can stop that. It notifies another admin and asks them to sign off on the action.”

Universities face unprecedented threats — from ransomware waves to insider breaches. The good news is that effective defensive tools such as NetApp’s Console and storage innovations continue to evolve alongside the attacks to meet each new threat. The challenge is real, but the strategy is clear: visibility, detection, recovery and governance.

Brought to you by: