Last March, the FBI’s Cyber Division sent out an advisory notice warning of cybercriminals using malicious software called PYSA ransomware targeting educational institutions, and successfully extorting money. PYSA is one of many ransomwares, like NetWalker, Clop, Ryuk, DoppelPaymer, and others used in attacks against K-12 schools and colleges.
In July of 2020, the University of California, San Francisco, paid $1.14 million to cybercriminals who encrypted and threatened to publish stolen sensitive information. UCSF, Michigan State University, and Columbia College Chicago were targeted with the same ransomware, as was the University of Utah, which paid $457,000 in ransom.
Ransomware attacks on colleges doubled between 2019 and 2020, according to the BlueVoyant: State of Education 2021 Report. There were at least 26 ransomware attacks involving colleges and universities in 2020, and 58 attacks involving school districts, according to Emsisoft. Because school districts include multiple institutions, it’s estimated that 1,681 schools, colleges, and universities were affected.
Despite many diverse security products that schools and universities deploy, cyberattacks continue unabated. Ransomware is a primary attack focus, comprising almost a third of all cybersecurity incidents. Unfortunately, educational institutions with security products can become overly confident, believing they have adequate protection. But that just isn’t the case. We’ve seen numerous schools and universities with multi-layered security protections become victims of cyberattacks.
Detection and prevention solutions, while necessary, simply won’t prevent every attack from breaching their defenses. There are too many gaps between solutions, too many people mistakenly clicking on malicious phishing links, too many weak password methods, and too many system vulnerabilities that are exploited.
Schools and universities think it’s never going to happen to them, until it does. However, cybersecurity incidents are so prevalent, every educational institution needs a comprehensive plan to recover their data and digital systems.
Speed of recovery is critical
After an attack, operations need to be up and running quickly. In addition to having detection and protection measures in place, recovery measures are necessary for rapid restoration. Most educational institutions can’t afford to be offline for days or weeks, so they pay the ransom. Victims feel it’s likely less costly than replacing and rebuilding systems from backup. However, a paid ransom means cybercriminals are encouraged to continue their malicious exploits.
Rendering ransomware impotent
Schools and universities victimized by a cyberattack can experience long-term business and financial consequences. In addition to a holistic strategy and multiple layers of security to protect against cyberattacks, rapid data and operating system recovery is needed.
Paying a ransom because data is held hostage is not a cybersecurity strategy. Data backup isn’t the answer for protecting against ransomware, either. Restoring data from backup takes a long time, and it’s not always reliable. Truth be told, hackers also target backup systems. Data and system recovery need to be proactively deployed to quickly re-establish operations. Security products and recovery solutions go hand-in-hand, so if a cybercriminal gets past the firewall, anti-malware, or endpoint security, all data and operating systems can be recovered within an hour or two, rather than days or even weeks.
Rather than copying data, next generation recovery solutions create a virtual overlay with stored deltas of the original data. Security breaches will only reach the overlay that protects the original data and operating systems, with data quickly restored with a single button click. This renders ransomware powerless, because the data is never lost, and can’t be held hostage.
What to do if you have a cyberbreach
If no next generation recovery solution was in place before a ransomware attack, there are important steps that must be taken immediately following the attack. First, disconnect all computers from the internet and power them down. After identifying the affected host’s mission-critical data, mount the storage devices of computers known to be clean systems, and back them up. It’s important to also backup a potentially corrupted system. This preserves important forensics for further breach investigation. It also allows an additional opportunity to recover data through different methods and tools.
It is recommended that the operating systems of the compromised machines be reinstalled from scratch or factory reimaged. This is important, because hackers are known to install backdoor or malware that are hard to detect and completely remove. Then you can begin the arduous task of restoring your data using a backup or recovery tool.
Lastly, after you finish recovering all the data and computers, it’s important to patch all vulnerabilities, harden security in your systems, and change user passwords on the affected computers. I must stress the importance of being proactive. It’s not a matter of if a cyberattack will happen, but when. A mature cybersecurity posture, with a rapid recovery solution, will ensure protection when hackers exploit security gaps and vulnerabilities.
- Is the education system working? - May 17, 2022
- 5 ways to support students’ access to diverse books - May 16, 2022
- Schools amplify inequity with failed solutions to teacher shortage - May 16, 2022