Cyberattacks in higher education at an epidemic level

Cybercriminals hit public institutions hard with ransomware in 2019 and 2020. Colleges and universities lost millions to fraudsters. These thieves endangered students’ records and stole PII, which they sold on the dark web. Administrators must train students, educators and staffs to avoid opening suspicious email attachments.

The University of Utah cyber event started with “an unknown entity” hacking into the College of Social and Behavioral Science computer servers on July 19, 2020, which left them temporarily useless. Administrative officials immediately notified law enforcement and the university’s information security office (ISO). The university then hired an outside consulting firm with specialized experience to assist. The firm’s technicians immediately isolated the hacked computer systems from the rest of the university’s systems. They then scrubbed the systems, and the ISO reinstalled the pertinent data from previous backups.

Because the systems contained student and employee personally identifiable information (PII), the university — in agreement with its consulting firm and insurance company — decided to pay a $457,059.24 ransom, which the hackers demanded. The university did disclose its insurance policy covered part of the ransom. The university had to pay the remainder. It didn’t disclose the breakdown of the payments, but it did specify that it didn’t use any grant monies, donations, tuition fees or taxpayer funds. (See University of Utah pays $457K After Ransomware Attack, by Lindsey O’Donnell, threat post, Aug. 21, 2020.)

The University of Utah paid the unnamed cyber extortionists via Bitcoin and the hackers provided a code that released the locked data servers. Cybercrooks regularly specify digital cryptocurrencies for transactions because they’re fundamentally untraceable. (See Cyber swindlers take University of Utah for nearly $500K in ransomware attack, by Art Raymond, Deseret News, Aug. 21, 2020.)

The university continued to downplay the incident and claimed the cyber extortionists encrypted only .02% of the available data stored on the system before the university’s information security office discovered the attack. (See University of Utah pays $450K to Stop Cyberattack on Servers, by Scott Pierce, Salt Lake Tribune in U.S. News & World Report, Aug. 22, 2020.)

Ten days after the attack, the university sent a notice to faculty and students to ask them to update the passwords they used to access the school’s network. The university’s chief information officer (CIO) said the delay was because the university was involved in the investigation and to ensure that “password resets went smoothly in each campus entity."

The CIO said the university was ascertaining the type of data accessed. He said the event had helped the school specifically identify a weakness in its security system. The CIO said the university corrected that vulnerability. (See the Deseret News article.)

The University of Utah has approximately 24,500 undergraduate students, and about 8,500 graduate students and about 1,600 faculty members. (See the Salt Lake Tribune article.) At that time, university officials were continuing to review the accessed information and said it would release more details. (See the threatpost article.)

Cybercriminals hit three schools within two weeks

The University of Utah joins the club of many higher-education institutions that cybercriminals have targeted. In the spring of 2020 alone, ransomware attacks hit Michigan State University, Columbia College Chicago and the University of California, San Francisco (UCSF), within two weeks. Cybercriminals used the malicious software, NetWalker, and gave them six days to pay, or they’d sell the stolen PII.

Michigan State University appears to be the only one of the schools that chose not to pay the ransom. The intrusion was limited to just the department of physics and astronomy. MSU’s information technology teams took swift action to prevent further exposure, including taking the impacted servers and workstations offline and notifying law enforcement, the university said.

“First and foremost, our priority is determining what information was compromised and then working with anyone who may have been affected to provide them with the appropriate support,” said MSU Chief Information Officer Melissa Woo. “The safety and security of our IT systems and the people who use them are of paramount importance to MSU. It is why MSU continues to work diligently to strengthen and improve our information security systems and share best practices with our campus community,” Woo said. (See Michigan State University won’t pay ransom after cyber attack, by Steve Marowski, MLive, June 3, 2020.)

Soon after the six-day deadline, some of the leaked PII stolen from the school’s department of physics and astronomy was available for purchase on the dark web. (See Cyberextortion Threat Evolves, by Lindsay McKenzie, Inside Higher Ed, June 11, 2020.)

UCSF confirmed it paid a ransom of $1.14 million (the highest reported ransom so far) to the criminals behind a Netwalker ransomware cyberattack. On June 1, 2020, the hackers behind the campaign attacked UCSF networks within the school of medicine IT environment. Thankfully, the attack didn’t affect patient care delivery operations or research work on a cure for COVID-19. However, data on a “limited number of servers” was successfully encrypted according to an UCSF statement published June 26.

The encrypted data “is important to some of the academic work we pursue as a university serving the public good,” the UCSF statement said. Although the cyberattack probably didn’t expose patient records, the university said, “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.” (See The University of California Pays $1 Million Ransom Following Cyber Attack, by Davey Winder, Forbes, June 29, 2020.)

There is plenty of interest in not only how the attackers managed to get their foothold onto the school of medicine network but also whether backups of the encrypted data were available. The wording of the UCSF statement itself does seem to suggest that backups weren’t available. According to the Forbes’ article, if that’s the case, Ian Thornton-Trump, CISO at the company, Cyjax, said the question is why “executives are willing to pay a $1 million ransom to cybercriminals, but not willing to pay a fraction of that to implement or maintain backups?” (See the Forbes article. Cyjax offers incident response services and threat intelligence.)

Columbia College of Chicago confirmed its IT systems detected a breach of its computer system that was contained to a limited number of servers within the college. The college also confirmed that the hackers used the same NetWalker ransomware used in the other two attacks.

College officials sent an email to the in which they admitted cybercriminals had accessed some employee, student and college data, but they were still investigating the incident. They didn’t reveal how much money the hackers demanded. (See Breaking: Columbia student information at risk in ransomware attack, by Kendall Polidori and Mari Devereaux, The Columbia Chronicle, June 5, 2020.)

Emboldened cybercriminals pursuing larger targets

Generally, hackers use ransomware, or malicious software, to prevent owners of information from accessing it on their computer networks. The cyber-extortionists then ask for money (typically in the form of Bitcoin) in return for codes to unlock access to the information.

Just a few years ago, ransomware attacks only happened to a few unlucky entities and they were forced to pay a few hundred dollars to regain access to their computer files. Now, cybercriminals have stopped targeting select individuals and are pursuing much larger targets, businesses, cities and school systems. They’ve turned it into a $13 billion-a-year industry.

Dozens of large ransomware assaults happen every month with the average payout of more than $120,000. South Korean web provider, Nayana, paid a ransom of $1 million in 2017. The cybercriminals hacked into more than 153 Linux servers and shut down more than 3,400 websites. The hackers originally demanded $4.4 million, but the company negotiators were able to convince them that the company didn’t have the funds to pay that amount. (See The 5 biggest ransomware pay-outs of all time, by Luke Irwin, IT Governance, Oct. 2, 2019.)

A report from BitSight Insights found ransomware attacks in 2016 targeted 13 percent of all higher education institutions. (See 13% Of The Higher Education Sector Has Been Infected With Ransomware, by Joel Alcon, BitSight, Oct. 13, 2016.)

Another report by Emsisoft, a cyber research firm, found ransomware attacks in 2019 impacted 89 universities, colleges and school districts, with operations at up to 1,233 individual schools potentially affected across the U.S. In some of these cases, schools closed and others couldn’t access data about students’ medications or allergies, and students’ grades were lost. The “extreme level” invasions cost thousands of server and device shutdowns, and lost data. (See The State of Ransomware in the U.S.: Report and Statistics 2019, Emsisoft, Dec. 12, 2019.)

Diverse constituents particularly endanger higher ed

Higher education is highly susceptible because hackers use malware that they typically deliver surreptitiously in phishing emails. With the number of students, faculty and staff that all have access to higher-education learning platforms extortionists can easily gain access when just one person clicks an attachment or link in a phishing email, invade the network with malware and search for the most valuable data without detection. (See Study: Higher education is the top target for ransomware attacks, Axiom Resources, June 2020.)

Chris Ross, senior vice president at Barracuda Networks, says that university servers are becoming increasingly appealing targets for cybercriminals because they hold treasure troves of valuable data, including sensitive student and employee data, such as addresses, passwords, payment details, bank information and confidential research. (See Blackbaud university ransomware – the danger of supply chain attacks, by Mark Jones, techhq.com, July 24, 2020.)

During the global pandemic, more students are depending on virtual learning, the risks are greatly increased and access points for hackers are multiplied. “With more students than ever relying on cloud infrastructure to manage the transition to digital classes and online exams, the threat facing them has never been higher,” Ross says. “In fact, our recent research found that 46% had experienced at least one security incident since the lockdown, with more than half (51%) recording an increase in the number of email phishing attacks,” Ross says in the techhq.com article.

Training, training, training

Because most ransomware is delivered through phishing emails, the keys to prevention are awareness and training. Educating faculty, staff and students on how to identify unsafe emails can greatly reduce the chances of a ransomware attack. Schools can also attempt to prevent stolen PII by ensuring that they aren’t holding onto information they no longer need. (See Cyberextortion Threat Evolves, by Lindsay McKenzie, Inside Higher Ed, June 11, 2020.)

Cindy Greenman, Ph.D., CFE, is an associate professor of accounting at Dixie State University in St. George, Utah. She’s received the ACFE Educator of the Year. Greenman is a member of the ACFE Arizona Chapter. Contact her at drcindygreenman@gmail.com.

Ross Johnston, Ph.D., CPA, is an assistant professor of accounting at Dixie State University. Contact him at ross.johnston@dixie.edu.

Derrick Esplin, Ph.D., CPA, is chair of the Dixie State University Accounting, Finance and Data Analytics Department in St. George, Utah. Contact him at derrick.esplin@dixie.edu.