The US and the UK reported a sharp rise in ransomware attacks on universities. Now, why on Earth would you attack a university if it doesn’t sit on a pile of money?
Juicy ransoms by both Colonial Pipeline (paid $4,4M to the criminals) and meat giant JBS ($11) might rouse cybercriminals’ appetite. But can you extort that amount of money from a higher education institution?
To be exact, some universities are way more prosperous than others. But even those with small endowments get attacked. And here are two reasons why: cybercriminals either expect that insurance will pay the ransom or simply pursue an intellectual property or some classified research.
In June 2020, The University of California paid $1.14M ransom to the criminals behind a cyber-attack on its School of Medicine, Forbes reported. At the time, the university was researching the COVID-19 cure.
According to ZDnet, The University of Utah revealed that it paid a ransomware gang $457,059 to avoid hackers leaking student information online.
These are just a few examples of cyberattacks against universities. Experts and law enforcement see a spike in attacks during the busiest seasons for universities – the end of spring and the beginning of autumn.
Spike in ransomware
Even though it’s not yet commencement season, higher education institutions must look ahead to August – when cybersecurity experts predict colleges will be inundated with ransomware attacks, just as they welcome students on campus.
Ransomware attacks on colleges and universities have doubled in the past two years, drawn by a perfect storm of vast troves of financial, personal, and research data, generally underfunded cybersecurity programs, and the need for universities to continue to operate for the benefit and safety of their students. That’s why the late-summer return-to-campus season is prime time for a cyber incident like ransomware.
As of late May/June 2021, UK’s National Cyber Security Center (NCSC) is investigating another increase in ransomware attacks against schools, colleges, and universities in the UK.
“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” NCSC said.
In March, the US Federal Bureau of Investigation ( FBI) reported an increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems.
The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims before encrypting victim’s systems to use as leverage in eliciting ransom payments.
CyberNews sat down with Rob Belk, EY Cyber Leader for Higher Education, to find out who and why are attacking universities.
“We see this trend happening globally,” he said.
Eyeing insurance funds
“The vast majority of universities do not sit on a pile of money. If you were to do a little research on the size of endowments that most US universities have, there are probably 15-20 maximum with vast endowments. It falls very dramatically after that,” Belk said when asked why cybercriminals attack universities.
What is more, regardless of what the endowment is, their operating budgets are also not necessarily flush with cash. “Why on Earth would attackers go after universities if they don’t think that they are going to get some huge payout as they get from a Colonial Pipeline or JBS?” Belk wondered and gave a couple of possible reasons.
Firstly, if you are a cybercriminal wanting to extort your victim for money, you will be looking for an easier target. And while, for example, major global banks have way more cash, they are also bound by many regulatory requirements to protect themselves.
“So it probably is a harder target to go after,” he said.
On average, ransomware attacks on universities cost an institution $447,000 in 2019-2020, according to BlueVoyant analysis. Clop, Ryuk, NetWalker, and Doppelpaymer were the primary ransomware families targeting education institutions.
Some universities, Belk said, have access to that kind of money.
“I think there’s a recognition that cyber insurance has now enabled this capacity to pay off a ransom. Even if an institution doesn’t have the money, they will go to their insurance company. The insurance company can work with negotiators,figure it out, and agree. So at least criminals will get something for their efforts.
Insurance companies refuse to pay the ransom,” he said.
But the ransom paying space is evolving. In March, a giant insurer AXA was the first company to say that it will not reimburse extortion payments. Ironically, AXA was hit with a significant ransomware attack just days after announcing that it would no longer cover damage from that class of cyber-attack in France.
Belk said insurance companies are adjusting, believing that they will either stop reimbursing ransom payments or list down specific requirements for companies that want protection from ransomware. Higher education institutions are obliged to protect students’ data and healthcare information if they store any. Those failing to comply will face fines from regulatory bodies if they fail to do so.
The most valuable gem – intelligence and knowledge
There’s one thing that universities are wealthy in – knowledge. They work with classified military documents; they research and try to find cures for diseases like COVID-19. Therefore, they get attacked by hackers hired by nation-states.
According to the BlueVoyant report, higher education institutions involved in COVID-19 vaccine research were subject to nation-state activity. Russia-based Cozy Bear and Iran-based Scholar Kitten were identified as threats to the sector last year. At least five nation-state campaigns targeting universities have been identified in the previous two years, though researchers expect the actual number to be more significant.
“If you are researching a military capability, then yes, they are going to be interested in that,” Belk said.
He also highlighted that universities, in general, have a culture of openness. Its mission is to create and disseminate knowledge. Academics share that knowledge with the university or college they work for and other fellow researchers across universities.
“They work and collaborate around the globe. It’s a fascinating world, and from a cybersecurity standpoint, that makes it really, really difficult,” Belk said.
Criminals usually target universities by phishing attacks, trick their victims into clicking on malicious emails, or look for vulnerabilities. Here it gets complicated as there are quite a few unpatched systems in universities’ networks. For example, students set up databases for their research in the university environment and connect them to the internet. After they graduate, it is not uncommon for those databases to just sit there. These orphan systems, Belk explained, become attack vectors.
“They might not have been patched and sitting dormant for years. Attackers find that these things exist, they know that they are using an old version of Windows, and then they can get access that way. That’s a little different in a corporate world,” Belk explained.
More great CyberNews stories:
Subscribe to our newsletter