Happening again is a large scale ransomware attack against a famous institution, this time Howard University.
Ransomware attacks have disrupted 830 individual schools so far in 2021 versus 1,681 individual schools, colleges, and universities in all of 2020 in the US, per Emsisoft. In 2021 attacks had topped 800+ by late summer. While decreasing slightly in number, these are disturbing stats and expose a significant gap in the United States ability to protect its’ IP and Research treasure trove. And according to Check Point software company, the education sectors in India, Italy and Israel had the highest volume of attacks in 2020.
Some of the higher-profile attacks in the US education vertical in the last 12 months include:
- Howard University being hit by ransomware shutting down classes today
- University of California paid $1.14 million to NetWalker hackers after they encrypted data within its School of Medicine’s servers
- University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network
- Judson School District in Texas paid $500,000
- Baltimore County School System locked up the system leading to 3 days of cancellations for 115,000 students
The FBI’s Cyber Division is warning that cybercriminals using this type of attack are focusing heavily on schools and universities due to the widespread shift to remote learning. Also to note, are that educational institutions contain an incredibly diverse spectrum of valuable data types, being collectors of research IP across many sciences, healthcare and insurance data, student and parent/household PII and financial data. Any one of these make an organization a prime target, all of these, and here we are.
Specific to Howard University, the attack was severe enough to cancel classes for Tuesday, September 7, in order to give their IT teams more time to address issues, and the physical campus is open to essential employees only.
How to detect and remediate ransomware attacks before they happen
Here are three simple illustrations of how intelligent, behavior-based anomaly detection can reveal network threats and attack attempts in the kill chain. These include pre infiltration, persistence during the attack, and (attempted) data exfiltration. These can be people, bots, malware or some combination.
The cyber attack kill chain
Inflitration – First steps in the kill chain
Intrusion and backdoor attempt exploits usually create anomalous behavior against baselines – whether by unknown users and devices – and/or known users and devices at unusual times, geos, behavior etc.
Fine-grained controls coupled with intelligent risk profiling offered by modern systems can detect these behavioral anomalies indicative of attack, as well as downloads and installs, then can trigger alerting to the SOC instructing network infrastructure to prevent traffic to that outside entity/those outside entities.
More modern security and ops systems need also to detect and remediate ever-evolving malware and its persistence inside once inside a network.
Persistence – Critical steps in the kill chain
Once inside, attackers inside networks can blend in using legitimate credentials , so organizations only looking for known exploits won’t be able to find these threats.
Many organizations focus heavily on preventing malware and intrusions at the perimeter and thus may not monitor for behavioral anomalies indicative of internal reconnaissance, taking command and control, and lateral movement
Once an attacker gains access, then they must perform a certain number of steps to achieve their goal, which is typically to access and steal, manipulate or destroy data. Rarely, will an attacker “land” on the device with the desired data or be the sole resource to carry out their objective.
So malware and/or attackers must perform many different actions, including probing the network, stealing or cracking credentials, accessing sensitive servers or applications, and locating and ultimately exfiltrating data.
Exfiltration – Completing the kill
Exfiltrations are the last stage of the kill chain in targeted attacks usually (but not always) targeting larger organizations.
Exfiltration post intrusion must be understood and addressed. Your systems need to detect a large data transfer or a number of staged payloads transferring to outside/unknown entities (even from multiple devices) and using that intel to instruct your network infrastructure to drop traffic to those destinations.
Security teams are (likely) overwhelmed by a huge volume of alerts, with some organizations reporting receiving a million alerts a day. Organizations often build and rely on crude correlation rules to find threats.
Organizations as we have said before, need something better.
Request a 20-minute demo, specific to your environment today.
If you suspect your organization has been hit by a ransomware attack, visit the CISA website (US) for more info: https://www.cisa.gov/stopransomware
For the latest information on the Howard University, please visit https://newsroom.howard.edu/newsroom/article/14946/ransomware-cyberattack-update
See how Dartmouth College protects students, research IP, and private information with WootCloud:
https://wootcloud.com/wp-content/uploads/2021/08/Dartmouth-Case-Study.pdf