BlueVoyant Report Reveals Ransomware is the Number 1 Cyber Threat facing Higher Education

February 23, 2021

COVID-19 has forced the higher education sector to rapidly transition to remote learning. This report delivers insights into the growing threat landscape of ransomware, credential breaches and other online threats facing universities and colleges.

New York, N.Y. – February 23, 2021: BlueVoyant, a cybersecurity services company, today announced the findings from its Cybersecurity in Higher Education report. Using open source data and proprietary research, BlueVoyant analyzed 2702 universities across 43 countries, revealing that ransomware attacks against universities increased by 100% between 2019 and 2020, and are the number one cyber threat - with the average cost of a ransomware attack totaling $447,000. Additionally, tactics seen in other industries - such as holding organizations to ransom for larger sums of money - were also observed amongst attacks on higher education institutions.

In the wake of COVID-19, the higher education sector is experiencing unprecedented change. Not only are universities embracing - or wrestling with - a host of new technologies and teaching methods, they’re also using a variety of apps, portals, and remote teaching technologies to support online or blended learning environments, which exponentially increase their vulnerability to a cybersecurity breach. As the nature of the classroom and the student experience evolves, universities face new challenges, new demands, and new risks that underscore the critical need to secure their proprietary data sources and to be properly positioned to withstand the growing threat landscape of cybersecurity breaches.

The report outlines the current threat landscape for the higher education sector and, delivers insights about the growing threat of ransomware attacks, the outsized impact of credential breaches, and the broader consequences for schools in the form of credential stuffing attacks. The research also outlines a concerning prevalence of high-risk vulnerabilities in the sector, which require remediation, including using multi-factor authentication, password policy mandates, monitoring anomalies and password screening.

Key findings from the report include:

  • Ransomware is the number one threat facing universities - ransomware events doubled from 2019 to 2020.
  • The average cost of a ransomware attack in higher education in 2020 was $447,000.
  • Data breaches were the number two threat facing universities, making up half of all events in 2019.
  • Data theft by nation states is a regular occurrence, affecting more than 200 universities in the past two years.
  • University credential lists are massive and heavily trafficked in dark web markets, underpinning a huge volume of threats targeting accounts and vulnerable websites.
  • Passwords are easily compromised due to the prevalence of simple passwords and password reuse.
  • Threats have magnified, due to increasing reliance on mobile devices, the move to remote learning, and third-party education partners - expanding the higher education attack surface.

Common vulnerabilities identified in the sector are:

  • Two-thirds (66%) of all analyzed universities and colleges lacked all basic email security configurations, which left these institutions exposed to phishing attacks.
  • More than three quarters of all analyzed universities and colleges had open or unsecured remote desktop ports. Open remote desktop protocol (RDP) ports are the number two threat vector—behind phishing—or ransomware gangs.
  • 86% of all observed universities and colleges showed evidence of inbound botnet targeting. The rise of botnet activity over the past year has prominently featured in the news.

Key adversary tactics commonly deployed against education sector targets included:

Credential stuffing: whereby account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts through large-scale automated login attempts.

Brute-Forcing: when an attacker systematically submits many passwords or passphrases with the hope of eventually guessing correctly. The attacker checks all possible passwords and passphrases until the correct one is found.

Dehashing/Cracking: the process of recovering passwords from data that has been stored in an unsalted hashed form. Hashes are scrambled versions of passwords that services use to enhance security practices, however, hashing is not equivalent to cryptography and many hashes can be "cracked" or guessed.

Commenting on the research, Jim Penrose, COO, BlueVoyant said: “As the nature of teaching and the student experience changes in response to COVID-19, universities and higher education establishments face new challenges, demands and risks. The attack surface has exponentially increased as organizations in this sector move to remote learning and face unique privacy and cyber risks. This is due to the combination of the sensitive data they manage and the nature of how technology is deployed, combined with growing regulations facing this sector.”

“The good news is that many of these issues can be easily rectified with the introduction of cybersecurity technologies, policies and user education. This includes multi-factor authentication (MFA) and long password policies, combined with the ability to block password reuse and simple passwords, and password screening. By combining long passwords with MFA and screening, the chance of being breached through brute force or credential stuffing attacks is considerably reduced.”

In addition to the broad scope analysis, BlueVoyant has also provided insights on a smaller pool of 30 universities. This in-depth analysis looked for distinct patterns and trends to identify vulnerabilities that matched the known threat vectors and risks. Analysis showed that torrenting (a popular method of sharing large files online) and gaming were being widely used, and highlighted the scale of credentials data commonly available.

Jim Rosenthal, co-founder and CEO, BlueVoyant, concluded: “This is an industry that has had to rapidly pivot to online learning, changing their standard methods of learning, practically overnight. The education sector is also under huge financial and regulatory pressure. Threat actors know that there are vulnerabilities to be exploited and they are taking advantage of these vulnerabilities at every opportunity - making it an imperative for universities to adopt a solid cybersecurity threat posture to ensure that the wealth of sensitive data is properly defended against adversaries.”

About BlueVoyant

BlueVoyant is an expert-driven cybersecurity services company whose mission is to proactively defend organizations of all sizes against today’s constant, sophisticated attackers, and advanced threats.

Led by CEO, Jim Rosenthal, BlueVoyant’s highly skilled team includes former government cyber officials with extensive frontline experience in responding to advanced cyber threats on behalf of the National Security Agency, Federal Bureau of Investigation, Unit 8200 and GCHQ, together with private sector experts. BlueVoyant services utilize large real-time datasets with industry leading analytics and technologies.

Founded in 2017 by Fortune 500 executives, including Executive Chairman, Tom Glocer, and former Government cyber officials, BlueVoyant is headquartered in New York City and has offices in Maryland, Tel Aviv, San Francisco, Manila, Toronto, London, and Latin America.

BlueVoyant Press Contacts:

Danielle Ostrovsky
C8 Consulting (USA)
T: 001 410-302-9459
E: [email protected]

Jim Pople
C8 Consulting (EMEA)
T: +44 7955 030191
E: [email protected]