Threat Intelligence Blog

Posted September 15, 2016

Ransomware continues to be a go-to tool for cyber criminals seeking to exploit targets for the purposes of making money. As a result, ransomware attacks are not only proliferating in volume and scope, but they are also becoming more sophisticated. According to one computer security vendor report[1], more new ransomware families emerged in the first half of 2016 than in all of 2015, indicating that this method of extortion is likely to continue for the foreseeable future. Most ransomware is delivered via e-mails or downloads from URLs hosting ransomware or exploit kits leading to ransomware. Over the past year, sectors that have fallen victim to ransomware campaigns include healthcare, certified public accountants, law enforcement entities, and financial institutions. Now, we are beginning to see ransomware attacks against universities. Educational services were even listed in the top five sectors filtered for incidents caused by hacking, according to one April 2016 study[2].

Recent news reporting[3] shows that nearly two-thirds of universities in the United Kingdom (UK) have had their computer systems held up for ransom by hackers. One UK university boasting a cyber security center was targeted 21 times over the past 12 months. According to a SentinelOne survey[4] of 71 UK educational institutions, 23 of the 58 surveyed universities had been attacked by ransomware in the past year. Ransom amounts varied with the largest demanding five bitcoins (approximately $2,900).

While none of the UK universities paid the ransom, there are incidents where other universities have acquiesced to the attackers’ demands, possibly encouraging attackers to periodically go back and try their luck again. In June 2016, a Canadian university[5] paid $15,780 for access to their encrypted files, and in July, an Irish university[6] was targeted by attackers three times, though the university only paid a ransom once.

Universities may be viewed as lucrative targets because they hold a large amount of student and professional staff’s personally identifiable information (PII), the type of information that is easily sold in the cyber crime black market. In addition to PII, many universities are engaged in a substantive amount of research and development, which can be attractive for hostile actors seeking to steal information and intellectual property that they can potentially sell to companies for a higher price point. In 2015, two U.S. universities[7] were targeted and compromised for R&D by suspected Chinese hackers.

Another potential cause for university targeting is that universities may not have the most robust cyber security mechanisms in place. Traditionally, university networks were open in order to facilitate information sharing and academic collaboration. Many email addresses are easily found online providing the means for attackers to “spray and pray” – deliver a high volume of e-mails in the hope that at least one will achieve its intended objective.

While universities represent the latest sector in ransomware targeting, it is still highly recommended by authorities that ransom demands are not met. Earlier this year, the Federal Bureau of Investigation (FBI) published an advisory[8] strongly advocating that victims should not give in and pay ransoms. Similarly, Europol has started an initiative called No More Ransom[9], a joint law enforcement and IT security company collaborative designed to disrupt cyber criminals businesses with ransomware connections.

Universities, like other organizations, need to be prepared for how to address the threat of ransomware. Keeping antivirus and antimalware solutions up-to-date, educating staff and the student population about cyber threats, ensuring security patches are up-to-date, and regularly backing up important data are some ways to reduce the risk of malware entering the larger enterprise. In addition, designing and implementing proper response plans to ensure business operations’ continuity will help universities maintain resilience to ransomware, as well as other incidents such as breaches, data loss, and other malware-driven events.

By Emilio Iasiello, LookingGlass CTIG

You May Also Be Interested In…


Additional Posts

Weekly Phishing Activity: September 19, 2016

Phishing Activity: TOP TARGETS Week of September 11 – September 17, 2016 In this week’s ...

LookingGlass Threat Intelligence-Driven Perspectives Featuring Gartner’s “Addressing the Cyber Kill Chain” Report

The Report Examines How Today’s Common Security Architectures Are Not Addressing the Complete ...