The FBI recently issued a Flash alert warning higher education institutions, k-12 schools, and seminaries about increasing numbers of ransomware attacks affecting the education industry.  According to the warning, “[s]ince March 2020, the FBI has become aware of PYSA ransomware attacks against U.S. and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors.”

The ransomware attacks are initiated by gaining unauthorized access to networks either by exploiting Remote Desktop Protocol (RDP) credentials or phishing.  Then the PYSA ransomware extracts sensitive information and encrypts files with the .pysa extension.  In some circumstances, the attackers sell the extracted information on the dark web.  The FBI reports that some criminals will also remove the malicious files after deployment, thus making it even more difficult for the victims to discover what has happened.

The FBI does not recommend paying any ransom as it emboldens and encourages more criminal conduct.  Acknowledging that many educational institutions might choose to pay after determining few other options exist, the FBI points out that there is no guarantee that paying any ransom will result in the return of the data.

The FBI also suggests schools implement mitigation steps as follows:

  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

Criminals are apparently not taking any time off during this pandemic, and in fact by all accounts have increased their attacks, particularly targeting entities whose attention is diverted to dealing with the fallout of the Covid-19 crisis. In particular, educational institutions across the country have faced a recent onslaught of ransomware attacks, often crippling an already vulnerable infrastructure just as classes were set to resume. Check Point Research recently published a report advising that cyber-attacks targeting academic institutions increased 30 percent between July and August (with upwards of 600 attacks per week). Although the research does not reveal why the surge occurred, it is likely not a coincidence that Covid-19 has compelled schools to utilize and vastly expand the use of new and unfamiliar technologies that allow remote learning, which in turn may have opened up new opportunities for cybercriminals to attack. In addition, although financial resources were spent on acquiring new technologies, the same expenditures were not necessarily invested in associated security. Often times cyber-attacks start with a phishing-email, that once opened allows cybercriminals to gain access to an organization’s infrastructure over time. As attention has been diverted to dealing with emergency Covid-19 issues, organizations have less resources focused on cyber-attacks. Accordingly, as the Covid-19 emergency persists, educational institutions must be sure not lose focus on monitoring cyber-attacks. Failing to expend the additional resources on cybersecurity prevention and monitoring, could very likely cost the school significantly more in the long run.