Although some cybersecurity researchers say Ransomware Attacks are declining as cybercriminals grapple with declining payments, a series of recent ransomware attacks makes it feel as if the scourge continued at the same rate, or even elevated. Nowhere is this more evident than in the higher education sector, with at least eight colleges and universities in North America reporting ransomware attacks since December 2022.

Recent incidents include:

• On December 30, 2022, Bristol Community College in Attleboro, Massachusetts announced that it experienced network and internet function outages due to a potential ransomware attack.
• In early January, a likely ransomware attack shut down access to campus network services at Okanagan College in the southern Interior of British Columbia, Canada.
• Mount St. Mary's College in Newburgh, New York, confirmed on February 9 that it experienced a ransomware attack in December after the Vice Society ransomware group claimed credit for the incident on its leak site.
• On February 25, Southeastern Louisiana University in Hammond, Louisiana reported a data breach and “network issues” believed to be a ransomware attack.
• Tennessee State University in Nashville announced on February 26 that its IT systems were temporarily inaccessible due to a potential ransomware attack.
• On March 1, College of the Desert, a community college in Palm Desert, California, announced that it was alerting about 800 people who may have been affected by a ransomware attack that occurred in July 2022, which removed their phone from the school and online services for almost a month.
• On March 3, Gaston College, a community college in Dallas, North Carolina, announced that it was the victim of a ransomware attack by an unknown threat actor.
• The Northern Essex Community College campuses in Haverhill and Lawrence, Massachusetts, were shut down in early March due to what is believed to be a ransomware attack.

Recent ransomware attacks on higher education institutions have also occurred outside of North America. In mid-January, the University of Duisburg-Essen (UDE) in Germany announced that it had been attacked by ransomware on November 22 after the threat group Vice Society claimed credit for the incident. Another German university, the Hamburg University of Applied Sciences (HAW Hamburg), admitted in early March that it was also affected by a ransomware incident on December 20, 2022, for which the Vice Society also claimed credit.

Cone of silence around ransomware attacks

It is impossible to know how many higher education institutions have been victims of ransomware attacks or if these incidents are increasing because institutions are more reluctant than most organizations to disclose the attacks or discuss any other aspect of cybersecurity. CSO sent interview requests to at least five university CISOs to discuss the challenges they face in managing their institutions' cybersecurity, all of which went unanswered. None of the CISOs contacted by CSO are employed at colleges or universities publicly known to be victims of ransomware attacks.

“It's always hard to know when you're tracking ransomware attacks because most of them are never publicly reported for a variety of reasons,” Allan Liska, threat intelligence analyst at Recorded Future, tells CSO. “However, we do know that there was at least a 10% increase in publicly reported ransomware attacks against colleges and universities in 2022 compared to 2021. We entered 2023 with what appears to be a continuation of that trend of increased attacks.”

Most organizations are reluctant to discuss ransomware attacks unless the situation is pressing. “Very few organizations, unless they end up on an extortion site, want to talk about the fact that they've been hit with ransomware,” Liska says. “But when you talk about a lot of colleges and universities, because they're part of the public sector, they often have state requirements as to what they can say and what they can't say.”

Beyond that, though, “There seems to be this unwillingness to share this information, I think mistakenly, under the perception that if you share that you got hit with a ransomware attack, it's going to cause other people to hit you or something like that, Lisa says, “I'm not quite sure what the logic behind that is, but it's definitely a problem. It makes it difficult for those of us who are trying to solve the problem because we can't fully understand what's going on because we don't know about most ransomware attacks. It makes it difficult to develop a good national strategy if people don't want to talk about it.”

Recorded Future recently issued FOIA requests for more information about ransomware attacks against colleges and universities in a specific state. “Every time they'd come back with the same thing, ‘due to the sensitive nature of this, blah blah blah, we can't share any information,'” Liska says. “They said I could reveal sensitive network stuff, which is complete. [nonsense]. But that was the tactic they took. And I'm like, dude, your data is on an extortion site, so we know what happened. So there seems to be this unwillingness to share information.”

Attacks on the education sector are not disproportionately high

Some experts believe that the number of ransomware incidents affecting educational institutions, including universities, has remained constant in recent years. “I don't have the breakdown between local school districts and universities handy, but every year since 2019, there have been 84-89 incidents involving US K-12 and post-secondary schools,” Brett Callow, analyst from Emsisoft Threats. , he tells the OSC. “If anything, the numbers are surprisingly consistent and vary by five per year. It's as if [threat actors] They're working on a quota.”

Adam Meyers, CrowdStrike's senior vice president of intelligence, believes that universities and colleges are no more objective than most organizations. “I don't know if it's disproportionately higher than what we're seeing in other places,” he tells CSO. “You may see more mentions of it in the media and more stories about it, but I think ransomware threat actors are constantly changing targets looking for something that's going to pay and be interesting.”

Higher education, a favorite goal of the Vice Society

Russian threat actors drive the majority of ransomware attacks, including those targeting colleges and universities. “Most of these attackers, at least the main group, are based in Russia,” Liska says, clarifying that they are not state actors per se, but criminal groups that thrive while the Kremlin turns a blind eye to them. “When we're talking about ransomware-as-a-service, which I know some of these attacks are a part of, the affiliates can actually be spread all over the world, but still, the core development group is almost always based in Russia.”

Vice Society is one of the main culprits behind these attacks and is believed to be a Russian group. Last fall, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a warning about Vice Society ransomware attacks that disproportionately go to the education sector.

“Vice Society is the one that really looks active after schools, colleges and universities,” says Liska. “They've almost made, for lack of a better term, a run. Vice Society accounts for five to six percent of publicly reported ransomware attacks overall, but accounts for 30% of ransomware attacks against schools” .

Says Meyers, “I think it's not like there's a monolithic group of criminal actors. There are so many different affiliates.” But he also points to the Vice Society as one of the most significant threats to higher education institutions. “They've been targeting academia heavily and rolling out Red Alert Locker since January or February,” he says. Red Alert Locker is a third-party piece of malware that the Vice Society deploys in ransomware attacks.

“Talking about which groups are responsible is a bit misleading,” says Callow. “It's really which affiliates of those groups choose to target the education sector. That being said, there is a group called the Vice Society, which for some reason targets a lot of organizations in the education sector.”

Money is the reward, but data could be more important

In terms of what motivates ransomware attacks on colleges and universities, the main motive, of course, is money, even when the payouts are small. “People talk about ransomware gangs being great hunters, but they're really not,” says Callow. “They are opportunists and will take money wherever they can get it. They will go after even low sums. For example, we have seen LockBit try to squeeze $10,000 out of a community hospital in a low-income country.”

But Liska says, “Actually, we don't know if they make money from ransomware attacks. The education sector in general, so not just colleges and universities, but also primary schools, high schools, is in actually one of the sectors least likely to pay a ransom”. They are less likely to pay “in part because they usually don't have the $100,000, $200,000, $500,000 that these bailout actors ask for, but also because they usually use state money or student money there.”

“If you're causing them to be unable to do admissions or enrollment or serve their student body and you're bringing negative attention to the university, that's the ransomware calculus,” Meyers says. “They're trying to create enough downtime or enough of an impact that it's cheaper to pay the ransom than it is to try to find a way to fight it.”

Although Callow believes that data stolen during ransomware attacks on colleges and universities is not of significant value, Liska does. “When you talk about a ransomware attack at this point, we're talking about double extortion,” she says. “So it's the data theft plus the encryption event. Student data can be very valuable. Social security numbers, names, addresses, all of that has secondary market value to sell to those who engage in it.” identity theft.”

All threat actors are moving towards the double extortion model, Meyers says. “They don't have to deal with the complexity of cryptography and doing all the ransom attacks. I think we'll see ransomware play second fiddle to data extortion in the future. Weaponization is starting to become a favored tool for these threat actors.