School might be out for the summer for districts, colleges, and universities but ransomware attacks show no signs of taking a break. The disruptions caused by the rapid shift to distance learning in early March heightened the appeal of educational institutions as a high-value target for ransomware attackers.
K-12 school districts, colleges, and universities have always been on the radar because of their vast repositories of personally identifiable information (PII) and personal health information (PHI). However, with the need to deliver courses online, combined with administrators, faculty, and students accessing resources from less secure home networks, the likelihood of being able to hold vital data for ransom has increased. It was just this situation that Michigan State University faced recently as data from the Department of Physics and Astronomy was held for ransom.
We had the opportunity to talk with Eric Nail, Systems Engineer at Pure Storage to find out more about why ransomware is such a persistent threat, why educational institutions don’t need to pay the ransom to restore their data, and other strategies they can use to mitigate the looming threat of ransomware attacks. Read on to find out why he thinks educational institutions shouldn’t pay the ransom and should invest that money in Flash backup and restoration solutions.
Today’s Modern Educator (TME): Why is ransomware such a significant problem for educational institutions?
Eric Nail (EN): Ransomware is a serious problem because it’s a low cost, low risk, high reward attack. Cyber attackers are rarely sent to jail for executing a ransomware attack, yet there’s a very high probability that they’ll receive a monetary payoff. While organizations are reluctant to discuss the issue of ransom payment, it’s widely accepted that more than a half, close to two-thirds, of organizations will actually pay the ransom; that makes ransomware big business. Until this balance changes, ransomware is going to continue to be one of the most common and painful problems we face.
TME: Is it their data that makes these organizations an appealing target, or is it the criticality of the services they deliver?
EN: What makes educational institutions an attractive target is both the data they hold and the criticality of the services they deliver. Right now we’re seeing ransomware attacks evolve. The goal of most ransomware is to encrypt an organizations data so it can’t be accessed until the ransom is paid, but attackers are now also threatening to reveal the data so that it can be used against the organization, an individual, or anyone whose data is caught up in the attack. Recently, a criminal organization threatened to release sensitive information belonging to President Trump if a ransom wasn’t paid proving that anyone with a digital footprint is a potential target. These days, no one is immune.
TME: Are we seeing a rise in ransomware attacks during the pandemic?
EN: We are absolutely seeing a rise in ransomware attacks during the pandemic. The rapid roll-out of remote work and distance learning and the criticality of the services provided by educational institutions have created the ideal conditions for ransomware attacks to flourish. These attackers know that home computers and networks are far less secure than the corporate networks and they’re taking advantage of that. They’re also taking advantage of the disruption in routines and the very human impacts of this crisis to slip through our defenses.
Anytime there’s a humanitarian crisis – be it wildfires, hurricanes, or a global pandemic – there’s an opportunity for criminal organizations to launch ransomware attacks via phishing emails. Combine that with disruptions, distractions, and weakened security and it creates the perfect opportunity for an attack to slip through our defenses and exploit valuable data.
TME: Is paying the ransom the only option that these organizations have?
EN: It might seem like paying the ransom is the only option but, fortunately, it isn’t.
The first thing to know is that fewer than half of the organizations that pay the ransom actually get their data back. Think about that for a minute – the odds of getting your data back after having paid a significant sum of money is less than 50-50. Those are not good odds.
And it gets worse. Even if you do pay the ransom and you do get your data back, there’s no guarantee that they won’t strike again. There are far too many organizations that have paid the ransom only to be hit again just days later. The bad guys know that the organization is still vulnerable, and they know that they’re willing to pay.
So, based on these odds and with the implementation of effective mitigation strategies, which should include both cybersecurity defenses and data management, paying the ransom really shouldn’t be considered a first, second, or third option.