Ransomware

The Silent Killer

By Bob Barker    //    Volume 28,  Number 6   //    November/December 2020
Trusteeship: November/December 2020

Never has there been a more turbulent time for higher education. Declining enrollments, the burden of student loans, government regulations, COVID-19, sports programs, Title IX, and more made the 2019 calendar year extremely challenging. And now 2020 is perhaps our most difficult year ever.

While all of these issues threaten the future of colleges and universities, cyber risk continues to vex every board member at colleges and universities. The unexpected event, the silent killer? Ransomware. In the last 100 days or so, we’ve seen UC San Francisco, the University of Utah, Blackbaud, and others suffer substantial losses to criminals. Utah alone paid $450,000 in ransom.

From a cybersecurity perspective, most colleges and universities resemble small and medium businesses (SMBs) more  than they do large enterprises. Property and casualty insurer Hiscox recently surveyed 3,300 firms to identify the causes and effects of cyberattacks on SMBs in North America and Europe. Its 2019 study revealed that over half the U.S. SMB firms had suffered a breach within the previous 12 months, and 40 percent had incurred multiple breaches. Even worse, the estimated total losses had doubled those of the previous year. The frequency of attacks on higher education institutions seems to be following a similar pattern.

Universities Increasingly Targeted

According to an August 16, 2020 article in iZOOlogic in the UK, the notorious Netwalker ransomware group has been successful in extorting payments by threatening to divulge the private data they acquire unless their monetary demands are met.1 During their first year of operation as of August 16, 2020, they have taken in over $25 million in payments. The group is now targeting U.S. colleges and universities, and they have already had several highly publicized successes:

Outsourcing Risk

Will outsourcing more of your information technology needs decrease risk? Many SMBs and small universities outsource some IT functions to bring in outside expertise  and to save money, as well as to lower cyber risk. It can be a good strategy, but even the best outsourcers have been breached.

 

 

Institution Actions
Michigan State University The Netwalker group breached and threatened to release MSU financial data, scans of passports, and file repositories that were exfiltrated from within its network if the ransom demand is not met.
Columbia College of Chicago The hackers informed Columbia College of Chicago about the compromised data they had stolen, including many of its students’ and faculty staffs’ records and personally identifiable information. The ransomware operators plan to sell the records on the Dark Web.
UC San Francisco University of California San Francisco (UCSF) confirmed that they been targeted by network intrusion but refused to detail which part of its network may had been breached. Netwalker claimed the cyberattack on their Dark Web page. Screenshots of the data leak have been posted that include social security numbers, financials, and employee data, as well as detailed medical studies (e.g., research on coronavirus).

 

Source: “Netwalker Ransomware Group attacks Universities in US,” iZOOlogic, August 16, 2020.

Blackbaud, a leading provider of services to nonprofit organizations, including higher education, is a recent high-profile example. They were struck with a ransomware demand from a cybercriminal who penetrated their network and locked down personally identifiable information  (PII), so even an almost billion-dollar company is vulnerable to such an advanced attack. “Senior officials at the tech firm spoke with The NonProfit Times on the record with the agreement they would only be identified as spokespeople”, “The attack was sophisticated enough that it initially looked like legitimate customer activity. When it escalated, the attack evaded our endpoint detection, intrusion prevention, and monitoring processes,” one Blackbaud official explained.

The cybercrime at Blackbaud led many of its customers, including a number of universities in the United States and the United Kingdom, to receive ransomware demands. Company officials have declined to say how many nonprofit accounts may have been accessed during the time the intruder went undetected. Reports in the media and from regulatory agencies suggest that hundreds of clients may have had their accounts accessed. The United Kingdom’s Information Commissioner’s Office alone has received 125 reports of Blackbaud client breaches.

Identifying Steps to Take  

Cybercrime is one of many challenges facing universities, and the question is how to set priorities. Like an airplane pilot in a crisis situation, step one is to determine where you are. What is our status? What are our risks? What must be done next? How can we address this while all of our resources are focused on the pandemic and other urgent disasters of the moment?

Rule One in flight training for pilots in the event of an emergency is very straight- forward: first fly the airplane. With the challenges facing every college and university today, that’s a rational approach. See to the financial problems, the COVID-19 threats, the empty dormitories, the issues with athletics, the distance learning. But then, what can be done about the “Silent Killer”?

Increasing cyber resilience is challenging. In “6 Must-Have Methods to Combat a Cyber Breach” that ran in the August 26 edition of Risk & Insurance, a list of six steps to combat cyber breaches is shared. While these steps may be worthwhile, a better approach is to see how well your institution aligns with a comprehensive cyber assessment framework that helps identify the highest priority steps needed to decrease cyber risk in your unique environment.

Assessing Cyber Status

Under executive orders several years ago, the National Institute of Standards and Technology provided a brilliant framework that assesses the “where are we” issues. The Cyber Security Framework (NIST CSF) is the beginning point to provide administration, trustees, and regents with a clear understanding of the organization’s current cyber maturity and resiliency, and perhaps more importantly, identifies the current gaps that tell us what we need to focus on.

NIST delivered the framework after engaging 3,000 cyber experts from business, government, and academia, and it has rapidly become the most widely used and accepted standard for effective cyber governance. Applying it isn’t just one more thing to do.  A NIST CSF assessment provides a foundational view of current cyber resilience, a gap analysis highlighting policies and processes that may need more focus, and guidance about how you can understand more deeply the cyber circumstances of the organization.

Automating NIST CSF lets you establish an ongoing cyber improvement program that becomes a common system of record containing comprehensive information about the cyber status of the institution. It provides the administration, auditors, boards, and regulators with visibility into the institution’s cyber resilience improvement initiatives, and it enables collaboration in setting vision and defining improvements to protect PII and network infrastructure.

Bob Barker is a cybersecurity strategist who began his security work in 1996. He is currently the chief strategy officer at Cybernance. He also serves as corporate strategic advisor to other public and private technology companies, including Intrusion Inc., a public cybersecurity company. Bob has written extensively for business publications that include Westlaw Journal, Directorship (National Association of Corporate Directors), TexasCEO Magazine, and Information Management, and he has been quoted in The Wall Street Journal and Forbes.

Endnote

  1. “Netwalker Ransomware Group attacks Universities in US,” iZOOlogic, August 16, 2020.