School Daze: The Evolving Ransomware Threat Landscape, Credential Breaches and other Online Threats Facing Universities and Colleges
By Tim Lehey and Rob Ames
In February of 2021, BlueVoyant released its report "Cybersecurity in Higher Education," a comprehensive assessment of the state of cyber security in the higher education sector. In this report, BlueVoyant analysis highlights severe vulnerabilities to ransomware faced by a wide range of institutions of higher education (IHEs). In the months since its release, the higher education sector has suffered a spate of alarming cyber security incidents, with ransomware attacks representing some of the worst events impacting dozens of universities.
Two of the world's leading security agencies publicly warned of this onslaught. This past March 16, the FBI issued a Flash Advisory Warning that targeting of higher education institutions was on the rise by the PYSA ransomware operation: "The unidentified cyber actors have specifically targeted higher education [...]."1
A week later, the UK's National Cyber Security Centre (NCSC) issued a similar advisory: "Since late February 2021, an increased number of ransomware attacks have affected education establishments in the UK, including schools, colleges and universities." 2
Security agencies are not alone in issuing strong messages to IHEs. The 2021 victim list for ransomware gangs like PYSA and Cl0p resonate even more powerfully.
In the first quarter of 2021, the victim count stood unnervingly large. Apart from the numerous Cl0p victims posted this year, PYSA has relentlessly attacked schools, colleges and universities. Below are the (publicly shamed) victim institutions for 2021:
- Myserscough College
- Millsersville University
- Illinois Valley Community College
- St Andrew's College
- Heartland Community College
- Cleveland Institute of Music
- Bridgwater & Taunton College
- St. Mary School Hyde Park
- Uxbridge College (formerly Uxbridge Technical College)
- UCEL (Universidad del Centro Educativo Latinoamericano)
Aside from the institutions that were posted to public ransomware "shame" or "extortion" sites, other IHEs were mentioned in the data dumps including additional victims - suggesting potential collateral sensitive information from third-party risk. What’s more, it is highly likely that there were other IHEs not posted because they negotiated a ransom payment according to the threat actors' standards.
Cribbing Your Notes | The 2021 Accellion Debacle
In the early months of 2021, an outdated Accellion file transfer application (FTA) caused tremendous upheaval and caused Accellion to announce a vulnerability in its legacy FTA under the risible characterization of having "minimal impact":
"Accellion resolved the vulnerability and released a patch within 72 hours to the less [sic] than 50 customers affected."
In short order, many of those customers would be revealed.
The University of Maryland, Baltimore eventually issued a statement confirming that it was compromised via the Accellion vulnerability. Its confirmation of the breach was acknowledged only after the hackers posted evidence on the Cl0p's extortion site:
“In late December, CI0P breached the security of our Accellion file transfer system. This system was used by our students, faculty, and staff to transfer encrypted files. We discovered the breach earlier this week, when the hackers posted evidence that they had accessed a limited number of files in our system containing some personally identifiable information.”
Other IHEs have publicly confirmed suspicion that their compromise was linked to the Accellion vulnerability:
- University of Colorado 3
- University of Miami 4
- Yeshiva University 5
- Stanford University 6
- University of California 7
- Southern Illinois University School of Medicine 8
- Harvard Business School 9
More Than One Way to ‘Take Your Lunch Money’
Ransomware originated as an encryption malware. By denying access to systems, individuals and gangs could force victims into paying for decryption keys. But the essence of ransomware is the immutable principle of extortion. As organizations began to more rigorously establish offline backup procedures to get ahead of this threat, ransomware operators responded.
The essence of ransomware is the immutable principle of extortion.
By late 2019, ransomware gangs expanded their extortion techniques by exfiltrating sensitive data, and in the event of non-cooperation, threatened to publicly release the information. In the case of the Accellion hacks, it appears that the hackers deemed the data to be sufficient leverage to carry out their threats, as attackers were not able to encrypt the systems of its victims.
In a more recent effort to further pressure organizations into paying ransom demands, Cl0p initiated campaigns to directly contact individuals associated with their plundered data.
Cyber security reporter Brian Krebs recently revealed that the "same extortion pressure email has been going out to people associated with the University of California.” Ransomware gang Revil (aka Sodinokibi) has not only contacted the clients of their victims, they’ve also combined service denial attacks - specifically DdoS - to apply broad spectrum pressure. The group Ragnar Locker has gone so far as to purchase Facebook advertisements using hacked accounts in order to further raise the stakes for non-cooperation.
These innovations and adaptations highlight the inherent and timeless principles of extortion that underpin this modern cybercriminal endeavor.
Cl0p directly contacts customers of a recent ransomware victim.
RaceTrac claimed to also be a victim of the Accellion debacle.
(Photo courtesy of KrebsOnSecurity)
Non-Cl0P Ransomware Incidents | Long Term Trend?
Also entering the public domain is a great deal of evidence indicating the persistence of ransomware attacks against IHEs by ransomware groups other than Cl0p. These incidents not only serve to underscore the issues discussed in the recent FBI and NCSC warnings, but could also reflect a long-term trend.
On Jan. 25, 2021, Tennessee Wesleyan University announced that it disconnected a number of its IT system components upon detecting an attack by an unidentified strain of ransomware two days prior.
North Carolina’s Central Piedmont Community College (CPCC) announced on Feb. 10, 2021, that it suffered a ransomware attack which disrupted its operations.
According to the CPCC’s announcement, the attack did not appear to compromise the personal data of students or employees. Regardless, this incident illustrates the outsize impact of ransomware when an attack overlaps with IT management challenges resulting from the higher education sector’s dependence upon e-learning. Consider that weeks after the initial disclosure, a CPCC official declared that as a result of the attack, all of the data in the institutions’ Blackboard learning management system (LMS) was “corrupted beyond restoration,” which, as a Blackboard spokesperson added, was a result of the CPCC’s decision to run a locally-hosted version of Blackboard Learn instead of using Blackboard’s cloud hosted version.
On Feb. 16, 2021, Simon Fraser University (SFU) warned that an attack detected on Feb. 5, 2021 exposed personal data belonging to an estimated 200,000 students and employees. This occurred almost exactly a year after a similar incident on Feb. 27, 2020, where SFU warned that a ransomware attack led to the exposure of roughly 250,000 University affiliates’ personal information.
On March 2, 2021 in response to this year’s breach, law firm Slater Vecchio LLP filed suit against SFU. The suit alleged that the University’s efforts to protect student data were insufficient, citing adjustments to its information security management after the 2020 ransomware attack as evidence of SFU’s poor preparation for future incidents like the 2021 breach. While the outcome of the lawsuit remains to be seen, it underscores the fact that the cost of a ransomware attack can go beyond the initial ransom to include legal fees and damage.
On Feb. 17, 2021, a security researcher announced that the Sodinokibi/REvil ransomware group added an entry for Southern Arkansas University (SAU) to its data breach site, “Happy Blog,” suggesting that the group had successfully exfiltrated data from SAU’s systems. This would be the second data breach to affect SAU in recent years, as a Fall 2020 ransomware attack against cloud provider Blackbaud exposed data belonging to many of its customers, including SAU.
On March 2, 2021, Millersville University confirmed that on Feb. 28, 2021, it had been the target of a ransomware attack. While the announcement claimed that all PII stored in Millersville systems was encrypted (and therefore, not compromised by the attack), the PYSA ransomware group added an entry for the University to its data leak site in support of its secondary extortion efforts.
As suggested by the NCSC’s recent warning, these attacks have not been limited to this side of the Atlantic.
On March 13, 2021, the UK’s South and City College Birmingham announced that it suspended in-person operations at all eight of its campuses following a “major ransomware attack” and, outside the UK, the Technological University of Dublin and National College of Ireland reported that it too had been subject to ransomware attacks on April 1 and April 4, 2021, respectively.
The evidence that security risks linger long after incidents, which appear to demand a response, is even more troubling.
While these specific incidents may be novel, they also reflect recurring issues facing the higher education sector. The higher education sector is not a new target for ransomware groups.
In fact, a study of 2019 ransomware incidents found that education was the second-most extorted sector by both the raw number of attacks and the proportion of incidents that resulted in a ransom payment.10
While cybercriminals are indeed adaptable - as evidenced by the Cl0p group’s exploitation of Accellion’s FTA vulnerabilities - such adaptability is not always necessary, as many ransomware operations have, for some time, employed the same basic TTPs.
Both the NCSC11 and the FBI’s warnings12 to IHEs identify open remote desktop protocol (RDP) ports and phishing as the most common points of access for ransomware. Though these specific alerts may be new, the named vectors are not. The BlueVoyant report, “Cyber Security in Education,” also addressed these vulnerabilities; finding that 66% of universities studied lacked the DNS-based email security protocols that can reduce the risk of phishing attacks, and 22% of universities had at least one open RDP port.
The frequency with which IHEs appear to leave these points of entry unguarded against ransomware may involve risks beyond ransomware attacks.
For example, ransomware is not the only threat spread by phishing, as recent reports of phishing incidents 13 at the University of Alabama at Huntsville and warnings of fraud campaigns targeting .edu email addresses impersonating the IRS can attest.14 Whatever the attackers’ intent, DNS-based email security measures can, at minimum, reduce the risk presented by phishing attempts.
Together, these security deficiencies suggest that the ability of IHEs to respond to threats and manage IT security risks may be underdeveloped. However, the evidence that security risks linger long after incidents, which appear to demand a response, is even more troubling. The previously referenced Simon Fraser University case is one example of IHEs failing to improve its security posture after an attack (and as a result, unnecessarily experiencing a second breach), but is not an isolated incident. On March 16, 2021, Arizona’s Maricopa County Community College District (MCCCD) detected an unspecified “cyberattack”on its network—the most recent in a long series of incidents which appear to have occurred alongside persistent management issues.
From 2011 onward, MCCCD suffered periodic data security incidents. In 2017 and 2019, reports from Arizona’s Auditor General found that MCCCD’s information security policies and procedures were inadequate.15 It would seem that at some IHEs, IT management issues persist - even in the wake of events that should result in an assessment and overhaul of the institutions’ security posture, and third-party relationships - to uncover and mitigate risks and prevent future breaches.
The challenges within IT environments contributing to the incidents discussed herein are not unique. BlueVoyant’s report, “Cybersecurity in Higher Education,” and other research prior to it, found that the higher education sector faces unique structural difficulties that complicate its cyber security posture. As noted in BlueVoyant’s original report, budgetary constraints, and resulting staffing difficulties, have proven to be major factors in the underdevelopment of the cyber security posture of IHEs. Prior to the COVID-19 pandemic, and the resulting transition to remote instruction, survey results indicate that IT administrators at IHEs were taking steps to improve the security of their systems.16 Budgetary priorities appear to have shifted during the pandemic - with a dramatic increase in dependence upon instructional learning technology bringing about a similar increase in demand for support from IT departments - at the expense of hoped-for investments in, or attention to, security.17 Unfortunately, IHEs that have experienced ransomware attacks and other security incidents, face new costs as a result of those investment shortfalls.
1. https://www.ic3.gov/Media/News...2. https://www.ncsc.gov.uk/news/a...3. https://www.cu.edu/accellion-c...4. https://www.databreaches.net/t...5. https://36yrz82f039s43dlq3eidz...6. https://med.stanford.edu/conne...7. https://ucnet.universityofcali...8. https://www.databreaches.net/s...9. https://www.bleepingcomputer.c...10. https://kivuconsulting.com/wp-...11. https://www.ncsc.gov.uk/news/a...12. https://www.ic3.gov/Media/News...13. https://www.waff.com/2021/02/1...14. https://www.irs.gov/newsroom/i...15. https://www.azauditor.gov/site...16. https://www.cosn.org/focus-are...17. https://www.wired.com/story/sc...