The education sector remains vulnerable as ransomware shame sites continue to feature teaching institutions from around the world. Some of the latest victims were universities from Ireland and Israel, but why are such institutions so vulnerable?
Their IT teams are often challenged with a diverse group of staff, students and contractors regularly using their networks. Research staff routinely communicate with other institutions, including sharing and receiving links to data and resources outside the network. The number of students coming and going every year is considerably high, including those only embarking on a diploma, part-time or one-year course. There is also the inherent struggle of balancing academic freedom with security needs, and then there are legacy systems in laboratories running on outdated operating systems. These factors explain some of the sector’s susceptibility to falling victim to data breaches and cyber-attacks, as reports from Verizon, KnowBe4, and RiffReporter illustrate.
Research and education institutions across the world are affected. KonBriefing lists a staggering 22 attacks for a two-months-old 2023. The German University of Duisburg-Essen fell victim to a ransomware attack in November 2022 and came only back online in 2023. The University of Dortmund subsequently asked their staff to refrain from sharing data with Duisburg-Essen using the higher education cloud service Sciebo. There were fears of the malware spreading through the service.
It is worrying to observe how vulnerable higher education is. We are not talking about sophisticated attack patterns here. Over the holidays, RiffReporter set out to test 400 German higher education organizations. The researchers found many institutions were vulnerable to very basic cyberattacks, and the vulnerabilities detected would have been avoided by simply following the OWASP Top 10 guidelines. In fact, the researchers were so successful that they decided to stop after breaking into the largest 70 institutions. They had seen enough to assume that the smaller ones were just as easy to break into.
Addressing these vulnerabilities is crucial. With the growing number of passwords available on the internet, organizations also need to be prepared for credential-stuffing attacks. Attackers leverage email and password lists collated from previous data breaches to run brute-force attacks against authentication and authorization mechanisms. Lists of passwords, email addresses, and usernames are sold on the dark web. The fact that some organizations such as Ilemnau University fended off a large-scale brute-force attack of this kind should be a motivation for other institutions to get security measures in place. It takes several months of work and a lot of money to recover from a successful attack.
Elsewhere, the situation is not so different. The 2023 SonicWall Cyber Threat Report shows a 275% increase in ransomware attacks for the educational sector. This number reflects some of the developments of cybercrime. Ransomware operations have become business operations, meaning they operate as efficiently but also face some of the same struggles legitimate businesses do. Ransomware as a service is available for non-technically skilled people. Toolkits are readily available, including YouTube instruction videos and step-by-step guides. Sales and franchise models exist, with different models to split profits between developers and their affiliates. Attackers employ new tactics to get to the most lucrative targets, e.g., victims are given the choice to spread the malware instead of paying for the decryption of their data.
Although the total number of ransom payments across all sectors declined, the size of victim organizations and the value per payment increased. Ransomware groups such as LockBit and Royal will continue their quests. After all, the educational sector is a treasure trove for personal and financial information. This kind of information provides great leverage for extortion, as organizations must fear litigation if the data is published after the attack.
The sector urgently needs to work on addressing all three elements of holistic cyber defense: people, process, and technology. Data breaches provide the perfect narrative to justify investments in all three elements, and it is past time to act.
This is cross-posted from my blog.