May 11 2021

Palo Alto Networks Pinpoints New Ransomware Trends in Higher Ed

Here’s what higher education institutions need to know about the current state of compromise.

Ransomware attacks are on the rise across higher education institutions. In March, an FBI advisory warned that there has been a spike in Protect Your System Amigo ransomware — also known as PYSA — targeting higher education institutions, K–12 schools and seminaries.

The “2021 Unit 42 Ransomware Threat Report” digs deeper into current compromise trends and shifts in attacker strategies. Here’s a look at some actionable steps that higher education institutions can take to reduce ransomware risks.

MORE ON EDECH: Understand these DiD strategies to protect higher ed users against cyberthreats.

The Current State of Security Threats in Higher Education

Cyberattackers are demanding bigger payoffs than ever before. According to the report, the average payout in 2019 was just over $115,000. In 2020, payment amounts nearly tripled, to an average of more than $312,000.

More expensive demands are also on the rise. While $5 million was the largest payout in 2019, hackers took $10 million from one company in 2020.

Meanwhile, COVID-19 concerns are still being leveraged to convince users they should click suspicious links in emails and download malicious attachments.

Palo Alto Networks also found that familiar platforms remain common malware sources, with Windows, macOS and mobile operating systems leading the way. It is worth noting, however, that attackers are branching out, and even Linux-based systems are increasingly under threat.

Higher Ed Faces a New Ransomware Reality 

Despite sustained success in compromising key systems and holding data for ransom, attackers aren’t resting on their laurels. Instead, they’re adopting new tactics to help maximize payouts.

Some notable shifts in this new ransomware reality include:

  • The rise of Ransomware as a Service (RaaS). Much like Software as a Service (SaaS), RaaS solutions allow would-be attackers to pay monthly subscription fees for access to the latest ransomware tools and technologies. Using commodity malware frameworks like Dridex, Emotet or Trickbot, they’re designed for ease of implementation. RaaS leverages common tools such as PsExec and PowerShell behind the lines, and significantly lowers the bar of entry for attackers.
  • The advent of “double extortion.” “Double extortion” attacks that exfiltrate files before encrypting them are also on the rise. Attackers then threaten to publish or sell these files unless enterprises pay up. At least 16 different ransomware families are now using this technique. The most prolific of the pack — NetWalker — has been tied to the leaks of 113 victims worldwide.
  • The pivot to “stay and play.” Traditional ransomware efforts are often “spray and pray,” where attackers use high-volume, high-speed attacks to grab whatever they can and get out. But Palo Alto Networks found a shift toward “stay and play” techniques, with hackers setting up shop on compromised networks, allowing them to conduct in-depth reconnaissance and target high-value data assets for maximum payout.

Cybercriminals are definitely bringing these diversified attack vectors to post-secondary settings. “Ransomware attacks in higher education may target students or researchers as a way to gain access to systems,” says Hunter Ely, U.S. SLED field strategist at Palo Alto Networks. “Threat actors often use Trojans or back doors, as well as more common attacks like spear phishing to steal credentials.”

“Once breached, we’ve found that ransomware groups often use enrollment and revenue data to justify their ransom demands,” he says.

MORE FROM EDTECH: Learn to secure higher ed’s growing number of remote devices.

How Higher Education Can Reduce Overall Risks

According to Ely, there are several basic steps that post-secondary schools can take to help reduce the risk of ransomware compromise. They include:

  • Enforcing basic cyber hygiene. The first step in defending against advanced ransomware attacks is getting back to basics. Ely puts it simply: “IT teams should enforce basic cyber hygiene, such as having rules against weak or reused passwords and accounts.”
  • Deploying segmented network services. Logical segmentation of networks naturally frustrates attackers who want to move both vertically and laterally in higher education IT environments. “University networks should be segmented to limit access to IT systems and domain controllers,” says Ely. Keep in mind that student and lab systems should also be isolated from critical servers. “All network data should be backed up and distributed, either on-premises for frequently used and critical files, or in the cloud for archived and nonessential data,” he says.
  • Implementing effective IAM. According to Ely, “Research data should be secured and stored separately from the academic and business systems — with identity and access management (IAM) utilizing a zero-trust security model.” By giving students and staff access to only the services they need for their organizational roles — and only after robust authentication — post-secondary schools can reduce the risk of compromise.
  • Improving system resiliency. Ely also points to the use of “ephemeral workspaces” that can be easily rebuilt if student systems are compromised or if sessions must be abruptly terminated. Combined with golden machine images that act as fail-safe restoration points, schools can significantly improve overall resiliency when ransomware attacks occur.

To that end, ransomware efforts are evolving — and higher education networks are increasingly at risk. While new threats such as double extortion, stay and play and RaaS pose major security challenges, universities and colleges can reduce risks by prioritizing robust cyber hygiene, leveraging easily rebuilt workspaces and deploying segmented, zero-trust networks.

alexsl/Getty Images