Be on the lookout as ransomware targets schools
Earlier this month, the FBI issued a warning to the public that it has seen an increase in ransomware attacks against higher education institutions, K-12 schools and seminaries. Before the pandemic, schools accounted for about 28% of this type of crippling attack, and by August that figure had shot up to 57%, primarily due to the shift to distance learning. But here we are back in school for the most part and the figure continues to rise.
Our own University of Utah was hit with a ransomware attack last summer and wound up paying more than $450,000 to the criminals even though administrators had the backup data to replace what was stolen. This case shows how ransomware has evolved as institutions and private companies (and perhaps, you) have learned the importance of backing up data to prepare for a loss, whether that’s a computer malfunction or a ransomware attack.
The newer type of ransomware attack goes beyond just locking up your computer and holding it for ransom. Called a double extortion model, the attack is made in two parts. First, the ransomware operators copy and remove sensitive data from the victim’s system and hold it in reserve. Then, the ransomware is injected into the system and the computers on the network are locked up and the demand for ransom is made. If the target refuses to pay the ransom, the perpetrators reveal they have stolen data and threaten to leak or sell it on the black market. These hosting locations are created and managed by the ransomware operators.
While the University of Utah had the backup data, it did not want sensitive student and employee records and other information to be released. “After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet,” Utah school officials said in a statement.
While schools and companies grapple with improving their security measures to avoid these potentially expensive attacks, what can you do to protect yourself and the institutions or companies you are involved with? Here’s the thing: Attackers need a way to get into a system, and the easiest one is through social engineering, which is a fancy way to say “getting an individual to click on a link or download a file that contains the malicious program.” Social engineering attacks are difficult for IT departments to prevent. Not because they haven’t the skills to stop an attack, but because the attacks are counting on human error — that’s where you come in.
Phishing emails are a common way for cybercriminals to reach their targets. Scam emails are sent to frighten the recipient into taking action such as clicking on a link or opening an attachment. The link opens to a malicious website that is able to inject the malware, and the attachment, once opened, will do the same thing. According to technology management firm NetStandard, only 12% of users will click on a phishing email. However, of those who open the email, 4% will click on the link or open the attachment. If 4% of Utah’s teachers and administrators clicked on a phishing email that opened the gate to ransomware, that would be close to 1,500 people around the state, based on numbers from the Utah Board of Education.
Criminals may use a technique called pretexting as part of a social engineering plan. Pretexting is a type of phishing where the perpetrator pretends to be someone who would legitimately have access to sensitive information, such as a co-worker, bank official or business partner. The imposter may ask questions or provide information that helps to confirm their credentials to gain the trust of the victim. Once that’s established, the malicious attachment is sent and the odds are high that the recipient will open it, leaving the employer open to attack.
In its warning, the FBI recommended a series of security measures to protect institutions, which can easily be adapted to individuals. Regularly back up data, air gap and password-protect backup copies offline. (Air gap means to store backup data in a location that is not connected to the internet, so a hard drive would qualify, but not cloud storage.) Install updates/patch operating systems, software and firmware as soon as they are released. In other words, keep your devices and systems up to date. Regularly change passwords to network systems and accounts, and avoid reusing passwords. For the individual, that also means using a unique password for each account you access.