The latest university cyberattack has reignited the discussion of internet and data safety in higher education. Monroe College is the latest target, with many of its technology systems disabled and the hackers demanding around $2 million in Bitcoin to restore access. Schools must be aware of the prevalence of ransomware and should consider steps to mitigate their risk of attack.
Ransomware covers a broad range of attacks including malware or a virus that prevents users from accessing their systems or data until the hackers have been paid. This form of cyberattack has been on the rise in recent years and has increased by 195% from the fourth quarter of 2018 to the first quarter of 2019. A ransomware attack may not merely block access to files temporarily, it could cripple an organization’s operation, or even an entire city. In May of 2018, Atlanta city officials reported that its internal systems were being held hostage by ransomware, with the hackers demanding $51,000 in bitcoin payments. The attack shut down the city’s computer systems, causing system-wide computer outages and rendering online bill paying services and law enforcement data unavailable. It even stalled operations at the world’s busiest airport, Hartsfield-Jackson International.
One survey indicates that sixty-three percent of organizations experienced an attempted ransomware attack in 2017, but certain types of organizations may be more vulnerable to attacks than others. Educational institutions have been shown to have 10 times the rate of ransomware infections found in the finance industry and 3 times the rate of healthcare organizations. Colleges and universities are especially vulnerable to attacks since their networks must allow open access to employees and students.
Once attacked, colleges must decide whether or not to pay the ransom or attempt to recover the data themselves. The Los Angeles Valley College faced this dilemma when hackers took control of the campus email system and computer network. The school consulted with outside cybersecurity experts who determined that making a payment would offer an extremely high probability of restoring access to the systems, while failure to pay would virtually guarantee that the data would be lost. LAVC decided to pay the $28,000 ransom in bitcoin and then received a “key” to unlock files. Even after paying the ransom, the school had to go through the lengthy process of “unlocking” hundreds of thousands of files manually.
LAVC is not alone in its experience. Many schools of varying size and nature have experienced recent ransomware attacks that are publicly known and several more have addressed attacks that have not yet made the headlines. Most schools do not disclose the amount of money the hackers demanded or whether the ransom was paid in an attempt to deter the behavior. Even major universities, like the University College London, are not immune from hackers. UCL, with the largest postgraduate enrollment in the United Kingdom was hit by a “major” ransomware attack which brought down its shared drives and student management system.
Higher education institutions should be proactive in protecting their systems from hackers. Risk assessments assist in determining servers’ potential weaknesses. Having a tested response plan (with assigned roles and responsibilities) in place prior to an incident is invaluable to an efficient and effective response to a ransomware attack. All parts of the enterprise, including students should be educated regularly on the dangers of phishing emails and harmful malware, and we recommend training in those areas.
To learn more about current problems, particular areas of weakness and tips for cybersecurity at higher education institutions, please join us on September 17, 2019 for a 90-minute webinar on this crucial topic.
Katie Wendel is a member of the firm’s Corporate & Securities, Higher Education and Nonprofit practices. Jim Shreve is chair of Thompson Coburn's Cybersecurity group. Many thanks to summer associate Evelyn Clark for assistance in writing this post.