The question at the top of people’s minds lately – is ransomware winning? – is definitely warranted. While a few years back ransomware seemed to die down, it has since transformed, with a group called SamSam reinvigorating the malware type to great effect. Now the average ransom paid has increased to six figures, and seven and eight figure ransoms are becoming commonplace. We are now facing a three-stage sophisticated attack that resembles an APT rather than traditional ransomware.

Newcastle University is the latest in a line of ransomware attacks on higher education institutions and, as all educational organisations return, we can expect that they will become increasingly under siege. Why? Because ransomware is most effective when the attacker can cause significant pain and create a sense of urgency. The fact that many schools and universities are adopting remote or hybrid learning will contribute to the pain and urgency that come with these attacks. If digital disruptions are frustrating in normal circumstances, they are catastrophic in times of distance learning. Compound this with the next generation ransomware attacks that couple data exfiltration with the encryption of systems and threat actors have multiple levers to pull on their victims. So, how can the education sector defend itself against these enhanced, next generation ransomware attacks? Let’s take it step by step.

  1. In the infiltration stage, the attacker will find a way to infect systems to gain a foothold in the target environment. The most popular methods are phishing and vulnerability exploits, or brute force methods such as compromising a credential and getting in through RDP. Once the attacker is in, they will start reconnaissance, meaning they will spread out across many systems to identify sensitive data and critical systems. Basic cyber hygiene is the most effective defence at this stage. Security teams should enhance vulnerability and patch management to reduce the attack surface, finetune application control to block untrusted software, and perfect privilege management and 2FA/MFA to limit the chance of the threat actor impersonating users.
  2. In the next stage – data exfiltration – the threat actor is going to gather sensitive data and exfiltrate it slowly and methodically, often using accounts and tools expected to be seen on the network, allowing them to defeat many forms of protection. As well as basic cyber hygiene, capabilities like Endpoint Detection and Response (EDR) can provide tools to go hunting for active threats in the environment. However, the challenge is that most companies that implement EDR do not have the resources or skill set to effectively hunt down active threats. Zero Trust and Data Loss Prevention capabilities can therefore also help at this level.
  3. Many organisations don’t realise they are under attack until stage three, when encryption begins at scale across their infrastructure. To counter this, backing up and restoring data is key. If partial or full encryption occurs, these are the only actions that can enable the organisation to get back up and running. Institutions should assume ransomware will occur, monitor their critical data storage with potential ransomware attacks in mind, and detect and isolate quickly. Taking this more focused approach will allow organisations to tune out a whole lot of noise and respond quickly and effectively to thwart stage three.

Paying a ransom is never recommended, and isn’t required if businesses have the proper practices and protocol in place. In fact, the US Office of Foreign Assets Control (OFAC) recently released an advisory stating that any company that is subject to a ransomware attack should engage with the proper law enforcement authorities and must adhere to economic sanctions and federal guidance. Many cyber gangs are nation-state backed and so paying them can violate OFAC guidelines, subjecting businesses to legal repercussions and potential fines if they pay up, as well as potentially encouraging further attacks.

So, is ransomware winning? For the moment, but we can respond to this evolving threat by countering it with more effective security strategies.