“You can collect that money in a couple of hours,” a ransomware hacker’s representative wrote in a secure June 2020 chat with a University of California, San Francisco, negotiator about the $3 million ransom demanded. “You need to take us seriously. If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.”
The university later paid $1.14 million to gain access to the decryption key.
Colleges and universities worldwide experienced a surge in ransomware attacks in 2021, and those attacks had significant operational and financial costs, according to a new report from Sophos, a global cybersecurity leader. The survey included 5,600 IT professionals, including 410 from higher education, across 31 countries. Though most of the education victims succeeded in retrieving some of their data, few retrieved all of it, even after paying the ransom.
“The nature of the academic community is very collegial and collaborative,” said Richard Forno, assistant director of the University of Maryland Baltimore County Center for Cybersecurity. “There’s a very fine line that universities and colleges have to walk between facilitating academic research and education and maintaining strong security.”
That propensity of colleges to share openly and widely can make the institutions susceptible to attacks.
Nearly three-quarters (74 percent) of ransomware attacks on higher ed institutions succeeded. Hackers’ efforts in other sectors were not as fruitful, including in business, health care and financial services, where respectively 68 percent, 61 percent and 57 percent of attacks succeeded. For this reason, cybercriminals may view colleges and universities as soft targets for ransomware attacks, given their above-average success rate in encrypting higher education institutions’ data. Despite high-profile ransomware attacks such as one in 2020 that targeted UC San Francisco, higher ed institutions’ efforts to protect their networks continued to fall short in 2021.
“When one sector improves their defenses, the bad folks go somewhere where the bar is lower and they can get money easily,” said Jeremy Epstein, chair of the U.S. technology policy committee of the Association for Computing Machinery.
Among all sectors in 2021, higher education had the slowest recovery times following an attack, according to the report. Forty percent took more than a month to recover—a stark contrast to the global average of 20 percent. The average remediation cost of $1.42 million was higher than the global average for all sectors.
Universities are home to sometimes-transient students, and faculty and researchers from around the world, which can make knowing who is on the network at a given time challenging. In contrast, IT professionals in some other sectors are often able to “monitor and control pretty much everything,” Forno pointed out.
The trajectory of ransomware attacks on colleges and universities is headed in the wrong direction. Nearly two-thirds (64 percent) of institutions reported ransomware attacks last year, according to the report. In 2020, fewer than half (44 percent) of education respondents in both higher and K-12 education were hit by ransomware attacks.
Many cybersecurity incidents occur after someone disregards what Forno calls “cyber 101” best practices that professionals have gleaned over decades. Such practices include installing high-quality defenses, monitoring networks for suspicious activity, educating users and reviewing relationships with vendors that have access to the network.
Some cybercriminals attack universities to steal intellectual property or for the bragging rights about a successful hack on high-profile institutions. In such cases, institutions like Harvard or MIT may be appealing targets. Ransomware criminals, however, are motivated by money. But that does not mean they always target the wealthiest institutions.
“It may well be the more obscure schools, those with fewer resources for defenses, are at the greatest risk,” Epstein said.
Half of the targeted higher education survey respondents paid ransoms to restore data, though they also relied on backups in the aftermath of an attack. Though most (61 percent) of colleges and universities that paid the ransom got some of their data back, very few (2 percent) got all of it back.
The insurance industry has nudged colleges and universities toward improving their ransomware defenses in the past year. Nearly all colleges and universities surveyed (96 percent) upgraded their cyberdefenses to secure insurance coverage. Many higher education respondents reported that the level of cybersecurity needed to qualify for cyberinsurance had increased and that the process of securing insurance had become more complex and lengthier. Perhaps as a result, higher ed institutions have been slow—slower than the average for other sectors—to secure cyberinsurance coverage for ransomware attacks.
Even so, insurance is not a panacea.
“All [insurance] really does is just off offload the financial risk from the victim to the insurance company,” Forno said. “It rewards complacency.”
Still, insurance companies are incentivized to write policies for which they will not have to pay, which can play a role in reducing risk.
Insurance companies have “learned a lot because, unfortunately, there have been a lot of successful attacks,” Epstein said. “They’ve got actual data that allows us to understand better where the problems are and how to defend better against them.”
The report contained a bit of good news for higher education—all respondents with cyberinsurance that were hit by ransomware attacks received insurance payouts. The payouts helped the institutions with cleanup costs to resume operation but did not necessarily help address the weakness that led to the attack.
“It’s pretty much impossible to overstate the risk or the criticality of protecting any sort of organization,” Epstein said. “Everybody is vulnerable.”
Further, university administrators responsible for network security should not be lulled into thinking that a potential ransomware attack would be a one-and-done event.
“The reality is you could pay the ransom and get what you think is your data back, and then a month later, the same bad guys show up and do it again from a different username in a different Bitcoin account,” Forno said. “Then, you’re back where you started.”