Hacking Colleges. PHOTO: Cybercrime Magazine.

Small Colleges Face Big Ransomware Attacks

Hackers lurk, move laterally and vertically in schools

David Braue

Melbourne, Australia – Sep. 2, 2021

When it was breached by ransomware cybercriminals earlier this year, the University of Colorado’s refusal to pay the $17 million ransom left more than 310,000 stolen records at the mercy of its extortionists — and highlighted the inevitability of ransomware in a sector where every institution needs alternate strategies to deal with a compromise.

The continuing swell of ransomware attacks has become so pressing that the FBI earlier this year released a formal advisory warning of an increase in PYSA/Mespinoza ransomware attacks on educational institutions in 12 states and the U.K.

Those attacks, in which the malware steals as much data as it can before encrypting it, reflect the new vanguard in ransomware — and a particular threat for universities, where the combination of intentionally open learning environments and often extensive stores of research and sensitive data promise rich rewards for cybercriminals.

“There are lots of colleges around the country that have been victimized that have paid, in some cases, seven figures,” Matt Kenslea, director of state, local and education with privileged access management firm CyberArk, told Cybercrime Magazine.

“And I’m not talking about the Stanfords and Yales of the world” with billion-dollar endowments, he added. “These are smaller colleges where a million dollars is a huge hit to their budget.”

Cybercrime Radio: Hacking Higher Ed

Matt Kenslea, Director, State, Local & Education at CyberArk

Tennessee Wesleyan University, for example, had to shut down all of its networks in January after a ransomware attack was discovered while in April, British Columbia’s Simon Fraser University suffered its second attack in a year.

The August and September back-to-school season is a particularly risky time for colleges that are busy enrolling and welcoming new students — as well as managing the added complexities of confirming coronavirus vaccine status and enforcing social distancing rules.

Faced with the choice to pay the ransomware cost or not, Kenslea said, many institutions find they have little choice but to pay. “They have to do it because they were running on paper to do a fall registration,” he said. “There’s such brand risk to them, as well as the financial risk.”

Yet ransomware isn’t the only issue for universities, whose broad reach across many disciplines is reflected in complex network infrastructure that remains highly exposed to malicious actors — for whom the diversity of types of user accounts, and diligence in protecting them, can make for easy pickings.

“There are a lot of people who have access to a lot of privilege in there,” Kenslea explained. “And instead of just locking down the environment, the bad guys are coming in, lurking on the network for a while, and moving laterally and vertically across the network as they pull data out of it.”

Attacks may come from outside, as well. Kenslea previously worked with a northeastern university where a disgruntled former student had launched a massive distributed denial of service (DDoS) attack at the institution.

“Insiders could be students, faculty, staff,” Kenslea explained. “Sometimes it could be malicious, and sometimes it could be just accidental — you’re at a coffee shop and get up to go to the gym, and leave your laptop open. There are a lot of ways that insiders can create a threat to the university.”

Degrees of protection

Indeed, due to their sheer size and technological exposure, universities continue to remain one of the most victimized and inadvertently compromised industry sectors: one analysis placed education behind only government in terms of the number of attacks reported.

Many stem from large-scale breaches such as the Accellion file-transfer software compromise, which led to the theft of data from institutions including Stanford University, the University of Miami, the University of California, Merced, Yeshiva University and, yes, the University of Colorado — whose ransomware extortionists made good on their threats after the university refused to pay up.

Recognizing that they will continue to be attractive targets for cybercriminals, Kenslea recommended that universities take a more proactive stance by following security good-practice guidance from the likes of EDUCAUSE — which offers a Higher Education Community Vendor Assessment Toolkit for measuring cyber risk — and introducing new zero-trust frameworks that can lock down potential threats due to too liberal access privileges.

An access-management overhaul is crucial given that university staff and students come and go on a regular basis, with accounts set up for multiple systems often left active long after they have departed.

“Someone has to remember to deprovision you when you leave and take you out of the Active Directory,” Kenslea explained, “so there is a whole lot of risk in the structural environment that universities create.”

“There are multiple pathways that can go wrong from there,” he added, “and the more privileges I have that is a force multiplier.”

“This is why we talk about controlling, through least privilege, what a user can do on the machine and how long they can do it without us rechecking their password.”

“We need to meet them in a way where we are applying least privilege to the user, but that we’re not breaking their workflow. We have to find this balance between security and privilege.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.