If you've been following the latest news on ransomware, you know that education organizations have been a recent high-profile target of some advanced ATPs -- and the FBI is monitoring the situation very closely.
In a FBI and DHS-CISA flash industry alert last week, law enforcement said a recent increase in attacks leveraging PYSA ransomware, also known as Mespinoza, has been traced to both US and UK educational institutions.
We wanted to dive even deeper into what this latest spike in ransomware attacks means for education organizations, why exactly they're being targeted, and what they can do about it in this expert Q&A with LogRhythm CSO James Carder:
Why is ransomware so effective?
"Ransomware proves to be successful time and time again because attackers prey on businesses and organizations that rely on outdated operational systems and technology, outdated applications, misconfigured systems, systems not up to date on security patches, making them easy targets to carry out successful attacks. Bad actors often combine those weaknesses with the natural weaknesses in people to click on things they should not. Such organizations that full under this umbrella and are under attack include state and local government and educational institutions.
The impacts of ransomware can shut down businesses and stop revenue generation, making it a very attractive strategy. Its target radius is vast and can be used to target any and every industry, company, commercial or government. It does not matter who the target is. In addition, almost anyone can use it, from individual criminals to criminal groups to nation state threat actors. Pre-built ransomware kits are easily accessible, so it does not require much development or customization to be an effective weapon.
The massive shift from in classroom to e-learning and government institutions that traditionally work on premise now being completely remote has made those groups prime targets. Traditionally, they do not have the protections, funding, or focus on cybersecurity, which is exasperated with the massive transition from on premise to remote, broadening their exposure and increasing the target landscape for the attackers.
Attackers are also on the constant lookout for opportunity. With the rise of the COVID-19 pandemic, many attackers have taken advantage of victims’ search for information and dependence on online tools used to work and educate from home. By luring online users into opening malicious emails and attachments, these criminal groups have preyed on victims’ insecurities during a precarious time."
Why are hackers targeting education?
"Educational institutions are big targets for hackers as thousands of people’s sensitive information is potentially involved, and the substantial shift towards e-learning has made them even more vulnerable and appealing to hackers and ransomware. These attacks on schools can bring education to a halt while potentially exposing every student and teacher’s personal data within the organization. Parents are also targets and may be coerced into paying ransom for personal information or school assignments if information falls into bad actors’ hands.
It is also not just a wealth of personal information that can be exposed, but the personal information of children which raises the intensity. This could go above and beyond general information and include pictures and video of your children. If it raises the intensity and urgency, it raises the likelihood of paying a little ransom."
What can organizations do to mitigate their risk of ransomware?
"Educational institutions need to take a proactive approach and invest in cybersecurity solutions that detect malicious behavior and enable network infrastructure to block any further access attempts. Institutions should patch aggressively, create backups, prepare a response plan, and prioritize educational training to ensure they are equipped to handle attacks and proceed without disruption."
Should an organization pay the ransom? How can they prevent the need to pay?
"Paying the ransom isn’t necessarily the better strategy, as it can result in additional financial penalties from the U.S. Federal Government and doesn’t guarantee a positive outcome.
To better prepare, organizations should consider investing in a good cyber insurance policy that explicitly covers the cost of a ransom itself and the cost of lost revenues and of recovery. Baltimore was hit with a ransomware attack last year that demanded payment of $76,000. Because the city did not pay, which is the recommended course of action in most cases, they were left with the restoration costs and revenue losses that totaled over $18 million. The city did not invest in cyber insurance, so they didn’t have access to the critical recovery assistance that was needed. Thus, from a pure risk-management perspective, a credible cyber insurance policy is most likely worth its weight in gold in situations such as this. State and local governments also have access to certain emergency funding options under certain circumstances when ransomware or cyberattacks strike. This should also be a part of an incident response plan to consider, ransomware or otherwise.
Paying the ransom might be the right business decision if there is the potential to lose millions of dollars a minute or if people’s safety and lives are at immediate risk. That is a business decision that makes a $100k ransom sound fairly reasonable, even if you’re flushing that money down the toilet because the attackers don’t undo the ransomware attack or if they decide to attack multiple times to collect more ransom. If you have all the other financial components in place to cover you, then maybe you can forgo paying the ransom. In the end, there is only a recommended approach but no real right answer.
Ultimately, to pay a ransom or not is a business decision. The ethics and downstream effect of paying a ransom all point to not paying the ransom; yet it is important to note that there is no guarantee that not paying will be the best course of action."