Universities and colleges cope silently with ransomware attacks

Although some cybersecurity researchers say that ransomware attacks are on the downswing as cybercriminals face declining payments, a spate of recent ransomware attacks makes it feel like the scourge is continuing at the same, or even an elevated, pace.

Nowhere is this more apparent than in the higher education sector, with at least eight colleges and universities in North America reporting ransomware attacks since December 2022.

Among recent incidents are:

• On December 30, 2022 Bristol Community College in Attleboro, Massachusetts, announced it experienced disrupted internet and networking functions due to a likely ransomware attack.
• In early January, a likely ransomware attack shut down access to campus network services at Okanagan College in the southern Interior of British Columbia, Canada.
• Mount St. Mary's College in Newburgh, New York, confirmed on February 9 that it experienced a ransomware attack in December after the ransomware group Vice Society claimed credit for the incident on its leak site.
• On February 25, Southeastern Louisiana University in Hammond, Louisiana, reported a data breach and "network issues" widely believed to be a ransomware attack.
• Tennessee State University in Nashville announced on February 26 that its IT systems were temporarily inaccessible due to a possible ransomware attack.
• On March 1, College of the Desert, a community college in Palm Desert, California, announced it was alerting around 800 people who might have been affected by a ransomware attack that occurred in July 2022, which took down the school's phone and online services for nearly a month.
• On March 3, Gaston College, a community college in Dallas, North Carolina, announced that it was the victim of a ransomware attack by an unknown threat actor.
• Northern Essex Community College campuses in Haverhill and Lawrence, Massachusetts, were closed in early March due to what is widely believed to be a ransomware attack.

Recent ransomware attacks on higher learning institutions also occurred outside North America. In mid-January, the University of Duisburg-Essen (UDE) in Germany announced it had been hit by a ransomware attack on November 22 after threat group Vice Society claimed credit for the incident. Another German university, the Hamburg University of Applied Sciences (HAW Hamburg), admitted in early March it, too, had been hit by a ransomware incident on December 20, 2022, for which Vice Society also took credit.

Cone of silence surrounding ransomware attacks

It is impossible to know how many higher education institutions have become victims of ransomware attacks or whether these incidents are increasing because the institutions are more reluctant than most organisations to reveal the attacks or discuss any other aspect of cybersecurity. CSO sent interview requests to at least five university CISOs to discuss the challenges they face in managing their institutions' cybersecurity, and all went unanswered. None of the CISOs CSO contacted are employed at colleges or universities publicly known as victims of ransomware attacks.

"It's always hard to know when you're tracking ransomware attacks because most of them are never publicly reported for a variety of reasons," Allan Liska, threat intelligence analyst at Recorded Future, tells CSO. "However, we know there was at least a 10% increase in publicly reported ransomware attacks against colleges and universities in 2022 versus 2021. We're starting 2023 with what appears to be that trend of increased attacks continuing."

Most organisations are reluctant to discuss ransomware attacks unless situations press them into it. "Very few organisations, unless they wind up on an extortion site, want to talk about the fact that they've been hit with ransomware," Liska says. 

"But when you talk about many colleges and universities, because they're part of the public sector, a lot of times they have state requirements regarding what they can say and can't say."

Beyond that, however, "There seems to be this unwillingness to share this information, I think wrongly, under the perception that if you share that you were hit with a ransomware attack, it's going to make other people attack you or something like that," Liska says. 

"I'm not really sure what the logic is behind that, but it's definitely a problem. It makes it hard for those of us who are trying to solve the problem because we can't get a full understanding of what's happening because we don't know about most of the ransomware attacks. It makes it hard to develop a good national strategy if people don't want to talk about it."

Recorded Future recently issued FOIA requests to learn more about ransomware attacks against colleges and universities in one specific state. "Every time they came back with the same thing, 'due to the sensitive nature of this, blah blah, blah, we can't share any information,'" says Liska. 

"They said it could reveal sensitive networking stuff, which is complete [nonsense]. But that was the tack they took. And I'm like, dude, your data are on an extortion site, so we know what happened. So there seems to be this unwillingness to share information."

Threat actors working on a quota

Some experts think that the number of ransomware incidents affecting educational institutions, including universities, has remained consistent in recent years. "I don't have the breakdown between local school districts and colleges at hand, but every year since 2019, there has been between 84 and 89 incidents involving US K-12 and post-secondary schools," Brett Callow, threat analyst at Emsisoft, tells CSO. 

"If anything, the numbers are surprisingly consistent and vary by five per year. It is as though [threat actors] are working to a quota."

Adam Meyers, senior VP of iuntelligence at CrowdStrike, thinks universities and colleges are not more targeted than most organisations. "I don't know that it's disproportionately higher than what we're seeing elsewhere," he tells CSO. 

"You might be seeing more mention of it in the media and more stories about it, but I think the ransomware threat actors are constantly shifting targets looking for something that's going to pay out and be interesting.”

Higher learning a favorite target of Vice Society

Russian threat actors drive most ransomware attacks, including those aimed at colleges and universities. "Most of these attackers, at least the core group, are based in Russia," Liska says, clarifying that they're not state actors per se but criminal groups that thrive while the Kremlin turns a blind eye to them. "When we're talking about ransomware as a service, which I know some of these attacks are part of, the affiliates can actually be spread out worldwide, but still, the core developing group is almost always based in Russia."

Vice Society is a leading culprit in these attacks and is widely believed to be a Russian group. Last Fall, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an advisory warning of Vice Society ransomware attacks that disproportionately target the education sector.

"Vice Society is the one that you really see active going after schools and colleges and universities," Liska says. "They've almost made, for lack of a better term, a career out of it. Vice Society accounts for about five to six percent of overall publicly reported ransomware attacks but accounts for 30% of ransomware attacks against schools."

Meyers says, "I think that it's not like there's one monolithic group of criminal actors. There are so many different affiliates." But he, too, points to Vice Society as one of the more significant threats to higher education institutions. "They have heavily been targeting academia and deploying the Red Alert Locker since January or February," he says. Red Alert Locker is one piece of malware developed by a third party that Vice Society deploys in ransomware attacks.

"Talking about which groups are responsible is a little bit misleading," Callow says. "It's really which affiliates of those groups are choosing to target the education sector. That said, there is a group called the Vice Society, which for whatever reason targets a very large number of organisations in the education sector."

Money is the payoff, but data could be more important

In terms of what motivates ransomware attacks on colleges and universities, the primary motive, of course, is money, even when payments are small. "People talk about ransomware gangs being big game hunters, but they're really not," Callow says. "They are opportunistic and will take money wherever they can get it. They will pursue even low sums. For example, we've seen LockBit try to squeeze ten thousand bucks out of a community hospital in a low-income country."

But Liska says, "we don't actually know that they make money from the ransomware attacks. The education sector overall, so not just colleges and universities, but also grade schools, high schools, is actually one of the sectors that are least likely to pay a ransom." They are less likely to pay "in part because they generally don't have the $100,000, $200,000, $500,000 that these ransom actors are asking for but also because they're generally using state money or student money there."

"If it's causing them not to be able to do admissions or enrollment or to service their student body and it's bringing negative attention to the university, that is the calculus of ransomware,” says Meyers. “They're trying to create enough downtime or enough of an impact that it's cheaper to pay the ransom than to try to figure out a way to fight through it."

Although Callow thinks the data stolen during ransomware attacks on colleges and universities are not of significant value, Liska does. "When you're talking about a ransomware attack at this point, we're talking about double extortion," he says. "So, it's data theft plus the encryption event. That student data can be very valuable. Social security numbers, names, addresses, all of that has a value on the secondary market to sell for those who engage in identity theft."

All threat actors are moving to the double extortion model, Meyers says. "They don't have to deal with the complexity of cryptography and doing all the ransom attacks. I think we'll see ransomware playing second fiddle to data extortion moving forward. Weaponisation is starting to become a favored tool for these threat actors."