Ransomware attacks: How universities can fight back against cyber crime

Two recent cyber attacks on the education sector are disturbing evidence that ransomware gangs are becoming more aggressive and more innovative.

The education sector – and higher education, in particular – is an attractive target for cyber criminals. It’s rich with proprietary and personal data, has disproportionality large attack surfaces, and most institutions have a decentralised approach to IT security.

And, as Bluefield University in Western Virginia and the Minneapolis public schools district discovered, threat actors are taking increasingly brazen – and dangerous – approaches. We look at what happened, and what you can do to protect your institution.

Bluefield’s code red

At the end of April 2023, Bluefield advised faculty and students of a cyber security incident but reassured them that there were no signs of “financial fraud or identity theft” as a result.

Unfortunately for Bluefield, Avos (or AvosLocker), the group responsible for the attack, was not yet done. On the first day of May, Avos capitalised on the fact that it still had control of Bluefield’s RamAlert emergency communications system.

Avos used RamAlert to bombard Bluefield’s students and their parents, faculty members, contractors and administration staff with text messages that were either threatening or gloating.

“Hello students of Bluefield University! We’re Avoslocker Ransomwar. We hacked the university network to exfiltrate 1.2 TB files...We have admissions data from thousands of students. Your personal information is at risk to be leaked on the darkweb blog.

DO NOT ALLOW the University to lie about severity of the attack! As proof we leak sample Monday May 1st 2023 18:00:00 GMT (2:00:00 PM)”

Not only did this strategy contradict Bluefield’s own calming narrative, it also seems designed to panic recipients into pushing Bluefield’s leadership into paying Avos whatever it asks for. Avos actually encouraged recipients to go to the news media.

This tactic mirrors that of the Clop ransomware group. Clop has begun emailing the customers and clients of its victims and recommending that they, “Call or write to this [business] and ask to protect your privacy!!!!”

In such a situation, anxious senior leadership might ignore its own cyber breach protocols and capitulate to ransom demands to prevent further reputational damage.

Meanwhile, in June 2023, students at the University of Manchester received this email from an as-yet-unknown ransomware group:

"We have stolen 7TB of data, including confidential personal information from students and staff, research data, medical data, police reports, drug test results, databases, HR documents, finance documents, and more.”

Unsurprisingly, some students felt fearful for their own physical safety and expressed anger at the university for its handling of the attack. One Tweeted that she felt staff and students should go on strike until the matter was dealt with.

Medusa menaces Minneapolis

The Medusa group is also trying to get around planned responses to ransomware attacks by using fear and intimidation.

In March 2023, Medusa attacked the Minneapolis public schools district. It stole more than 200,000 files and almost immediately started to publish them. In this case it’s notable that Medusa didn’t limit itself to a “leak site” on the dark web, as cyber criminals usually do. It also used easily accessible outlets like Facebook and Twitter.

This would have been distressing even if the data were limited to the students’ basic information. But what Medusa made public included allegations of abuse and assaults by children against school district employees, including the names and addresses of the accused and the accusers. Had the attack been against a university or college, no doubt Medusa would not have hesitated to broadcast similar details about on-campus assaults.

The implications of what could happen as a result of this kind of material being made public are extremely troubling, and not hard to imagine. That, however, seems to be exactly what Medusa is counting on with its strategic leaks.

Managing cyber risk – what can you do?

It’s not only those working in education who will be vulnerable to these new tactics. Healthcare providers, charities, local and national government agencies, to name just a few – all have similar challenges with limited budgets, expanding attack surfaces and threat actors who are willing and capable of targeting vulnerable communities.

Anticipate – Third-party due diligence is essential. Third-party risk is on the rise and threat actors will exploit vulnerabilities in secure companies’ supply chains to find ‘back doors’ into their systems. You need to map out your companies’ critical service providers and other third parties, and develop a classic risk matrix which begins by prioritising ‘high impact, high likelihood’ events.

Educate – Human fallibility is often at the heart of a successful IT breach. A lot of people tune out during IT security training: Keep your people up-to-date on the latest threats and ensure that training materials are regularly refreshed. Your senior leaders should also be thoroughly briefed on your cyber breach response plans. This will minimise the chances of rash decisions being acted on in the heat of the moment.

Communicate – Collaboration between IT security teams and different departments is crucial to ensuring everyone is on the same page. Michigan State University, for example, paid US$1m to a ransomware gang that discovered its physics department had not properly patched its VPN.

And don’t forget about clear and honest communication with those affected by a breach; transparency about the issue and what is being done to remediate it will make it harder for a malicious party to capitalise on uncertainty.

Evaluate – Continuous monitoring of your attack surfaces and threat environment is vital. Do you know exactly how many servers there are through which your defences could be breached? You may be surprised by how often the number changes.

Automate – It isn’t possible for such continuous monitoring to be a manual job. Harness the power of a third-party expert to provide you with an automated system that gives you an overview of your ever-changing attack surface.

With Orbit Security, you can:

• Discover your attack surface using Orbit Security’s proprietary Network Footprint Discovery ML algorithm. From a single parent domain, we will discover all your interconnected infrastructure to a high degree of accuracy, regardless of who manages it.
• Analyse the threat intelligence assessments provided for every domain and sub-domain in your infrastructure, or view your risk exposure aggregated by the six threat categories in our methodology: Breach, Configuration, Mail, DNS, HTTP, SSL/TLS.
• Mitigate risks according to clear priorities set out in Orbit Security’s assessments, improve your security posture, monitor your third parties and report with confidence to your board.

Reporting is essential to any IT security team, and speaking senior management’s language is crucial. We help by providing off-the-shelf reports:

Management reporting

Our cyber security ratings present complex information in a way that’s easy for both stakeholders outside your team and senior management to understand, allowing you to communicate clearly and effectively what your security pain points are and what resources you need to address them.

Vendor risk reporting

You will be instantly notified if one of your third parties has its security rating downgraded. Thomas Murray will engage with them at your request to provide free and full access to their own threat intelligence assessment, improving the security of your entire ecosystem.