By Andy Norton, Risk Officer – EMEA, SentinelOne
The threat of ransomware is on the rise and attacks are increasingly targeting public sector organisations. A recent Freedom of Information study carried out by SentinelOne demonstrated that 56% of UK universities have suffered a ransomware attack in the past year alone.
Universities as the biggest targets
A total of 71 universities were contacted for the Freedom of Information study; 13 of these refused to comment, most likely for a fear of compromising their commercial interests. Of those who did respond, 63% said they had been targeted by ransomware in the past and 56% of those targeted had suffered attacks in the past year, with Bournemouth University coming out as being the most targeted with 21 attacks over just 12 months.
These results provide insight into ransomware’s most likely victims, highlighting universities as the prime targets. According to Gianluca Stinghini, Lecturer and Assistant Professor, Department of Computer Science, and Security Crime Science, University College London, “these findings shine a light on the growing ransomware threat and the fact that universities are seen as potentially lucrative targets.” He suggests that the universities are so attractive to cyber criminals because “they hold [so much] data on staff and students.”
Ransom demands for data
In this recent Freedom of Information study, the range of ransom demands was between one and five bitcoins (approximately £500 – £2,500). Although none of the universities contacted as part of the study claimed to have paid the ransom, there are cases where other educational institutions have. The University of Calgary admitted to paying a ransom of $20,000 CAD (approximately £11,400) for decryption keys whilst Queen’s University Belfast has also admitted to paying a ransom demand, although a much lower figure of £400. The university made it clear that paying this particular demand was an exception to its standard policy of not paying ransom.
Not just a one-off
Less than half of these attacks reported by universities as part of the Freedom of Information study were isolated incidents. 56% of the universities that reported ransomware attacks indicated that they had been targeted multiple times.
Although none of the universities contacted for this Freedom of Information study admitted to paying the ransom demand, the fact many of them were attacked more than once suggests the motive may not be solely financial. That being said, the study also indicated that ransom demands for universities are higher in comparison to when the general public is targeted. Universities not only “hold data on staff and students” as Gianluca Stinghini points out, but this data is also easily accessible since university networks are often well connected, with the potential for the attack to easily reach file servers. In addition, universities have, in the past, been more liberal with their security and device access policies, and therefore heavily reliant on user awareness. Last, but not least, the few instances in which these establishments have paid a ransom demand may be motivating cyber criminals to relentlessly attack the education sector.
Interestingly, all of the universities questioned in this study had some sort of anti-virus or anti-malware solution set up. Yet, the fact that 63% of these universities had been the target of a ransomware attack suggests that traditional solutions are failing to protect against new, indefinable and infectious strains of ransomware.
It is now vital that organisations and institutions go beyond their current defensive approach of protection based on existing knowledge, and instead begin to contemplate different solutions that use more advanced signature-less techniques to protect against ransomware
It is now vital that organisations and institutions go beyond their current defensive approach of protection based on existing knowledge, and instead begin to contemplate different solutions that use more advanced signature-less techniques to protect against ransomware. The best thing an organisation can do, other than just having appropriate security controls in place, is to have regular backup processes, either on another machine or, preferably, somewhere offsite. This will then enable data to be recovered or rolled back to an earlier version after an attack.
As a vital part of protecting themselves against future ransomware attacks, organisations should also ensure their staff are educated in good cyber security practices. Additionally, defences can be improved by providing staff with regularly updated information about open vulnerabilities, as well as teaching about situational awareness. Making employees more aware of suspicious emails is a simple yet vital action that can be taken.
Ransomware is here to stay
Ransomware is for the long haul. However, by maintaining good endpoint protection, regular patch updates and an effective back up system, any organisation will be able to take measures to protect against infection and have the necessary recovery processes in place.