2016 was the year of the hacker. From Russian hackers targeting US elections to the jaw-dropping compromise of more than 1 million Yahoo! user accounts and the DDoS attack that "broke the Internet," it seems like hacks and data breaches were in the news every day. Russian hackers aside, ransomware was the cybersecurity topic that captured the year’s headlines.
The epidemic of weaponized encryption hit an all-time high last year, with an astounding 638 million instances of attempted ransomware attacks, according to a recent report. That's 167 times more than the 3.8 million ransomware attack attempts in 2015, and as our CEO, James Litton, recently predicted to ITBusinessEdge, 2017 will likely surpass 2016 for the most ransomware-riddled year.
As the scale of ransomware attacks expands, so does the list of ransomware targets; reports now suggest that higher education is the new top ransomware target. In fact, a recent analysis of ransomware activity found that as many as one in 10 education organizations have been hit with ransomware attacks.
Higher Education an Easy Target
It makes sense. Colleges and universities make an ideal target for ransomware demands. Campuses' collaborative, open-data culture and complex, bring-your-own-device environments open the door for attackers, who only need one user to make a mistake to gain access to vulnerable networks. Add to that the generally low security protections at higher-education institutions, and you have a recipe for disaster.
For these reasons and more, cyberattacks are not uncommon in higher education. A well-timed attack, say, during the start of a semester or during a major conference, can bring a college to its knees. That means all but guaranteed bitcoins for hackers.
It was only a matter of time before malicious actors caught on, and once they did, they caught on big-time—2016 is full of examples of colleges and universities being targeted by, and paying up to, ransomware-wielding hackers.
In December 2016, Los Angeles Valley College was hit with a ransomware attack. Hackers locked the school's network, including college email and voicemail systems, and demanded a bitcoin payment totaling $28,000, which the school paid after determining that "making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost."
The University of Calgary was similarly burned in June, when it transferred $20,000 CAD worth of bitcoins (about $16,000 USD) after it failed to undo damage caused by a ransomware attack targeting core systems and research data.
In the UK, Bournemouth University was targeted 21 times over a one-year period. However, the school boasts its own cybersecurity center and said that it has felt “no impact” on its activity due to the attacks.
So the threat to higher education is real, but what is ransomware, exactly?
To put it simply, ransomware is a type of malware that weaponizes encryption, blocking user access to a computer system, files, or service until a ransom is paid. For colleges and universities, that can mean lost student and faculty PII, or even lost research data. Payment is generally required to be made using bitcoins or other cryptocurrencies, which let hackers make untraceable transactions. Typically, hackers have distributed ransomware through phishing attacks, either widespread or targeted, malvertising, or watering-hole attacks.
In a way, ransomware is the Hollywood version of hacking come to fruition—a screen suddenly goes black, an ominous message appears: “We’ve got your data, and you’re going to have to pay dearly to get it back.”
For hackers, this is all great business. Ransomware is fast, it’s easy, it’s relatively anonymous, and it pays well—very well. As noted above, higher education organizations have established a reputation as paying victims, shelling out as much as $28,000 in some instances.
In many cases, ransomware is a low-effort, high-volume business. Hackers take a spray-and-pray approach, spamming thousands of fake messages to targets, looking for the one employee who will click on a malicious link. Some targets pay, while most don’t, but it only takes a small percentage of payments for hackers to make a sizeable profit.
It's hard to put a number on the average cost of a ransomware attack, because many victims choose not to publicize their losses, but the FBI estimates that criminals used ransomware to extort $209 million from businesses and institutions in the first quarter of 2016 alone.
Easy money, and it's only getting easier. The rise of ransomware as a service has made ransomware easy to deploy even for skiddies without the technical ability to pull off attacks themselves. Wannabe hackers can just download and deploy a malware kit, often available for free or a percentage of the take.
What Can We Do?
Protection from ransomware isn't guaranteed. In most cases, letting ransomware into your systems comes down to simple human error: a user clicking a malicious link in a phishing email. However, there are precautions you can take to limit exposure to ransomware and to stop its spread once infected.
A recovery plan is a high priority, especially for colleges and universities, who could lose priceless research data in a ransomware attack. The best practice is to backup your data on a daily basis in multiple locations, offline and in the cloud. Hackers want you to panic when they lock your data, but you don’t have to pay them for what you still have.
Strong perimeter defenses and ad-blockers are also important, but shouldn’t be your only line of defense. Perhaps the most important way to defend yourself from the ransomware threat is implementing strong, modern IAM capabilities, which can minimize your attack surface and prevent access to critical systems.
For more on this, stay tuned for my upcoming post, where I’ll outline six best practices for preventing ransomware from infecting your organization and for limiting the damage it can do once inside, and demonstrate how stronger IAM controls can keep your organization safe.