Ransomware attacks are hitting universities hard, and they are feeling the pressure

Schools and universities are facing an unprecedented level of ransomware attacks as incidents continue to severely impact the education sector. 

The warning comes from Jisc, a not-for-profit organisation that provides network and IT services to higher education and research institutions. Jisc’s ‘Cyber Impact 2022’ report suggests there’s an increased threat of ransomware attacks against education. 

According to the report, dozens of UK universities, colleges and schools have been hit with ransomware attacks since 2020, causing disruptions for staff and students, and costing institutions substantial amounts of money. In some incidents, Jisc says impact costs have exceeded £2 million. 

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

And the attacks keep coming, as the report details how two universities and a further education and skills (FES) provider were hit by separate ransomware attacks during March 2022.

The institutions aren’t specified, but the report says each incident caused a significant impact as systems were taken down to prevent further spread of malware, and to safely recover and restore data. In one case, a third party was called in to help the organisation fully recover from the incident.  

According to Jisc, higher education views ransomware and malware as the top cybersecurity threat, followed by phishing and social engineering. 

The report suggests that one of the reasons universities have become such a common target for ransomware attacks is because of the pandemic-induced sudden shift to remote working for staff and students that inadvertently left institutions open to attack. 

For example, the switch to remote education led to a big rise in the use of remote desktop protocol, which can provide ransomware attackers with a route into networks.  

Cyber criminals can send out phishing emails to steal usernames and passwords, which they can use to enter networks via legitimate user accounts. It’s also possible for cyber criminals to use brute-force attacks to break into accounts that use common or previously breached passwords. 

“This underlines the importance of basic security controls being in place, such as protections against brute-force attacks,” says the report. 

While the threat posed by ransomware and other cyberattacks to higher education is well known, some institutions are struggling, particularly when IT and information security teams are hamstrung by a lack of resources. 

“We are doing our best, but all areas of IT support seem to be growing and requiring more attention and it’s one part of a larger role (where its importance should be far greater). The pandemic has only stretched us further,” an undisclosed FES provider told Jisc. 

SEE: These are the problems that cause headaches for bug bounty hunters

One of the steps that organisations can take to protect accounts from being hacked and exploited to help launch a ransomware attack is to provide all users with multi-factor authentication (MFA). According to Jisc, there has been a sharp rise in the number of institutions that have MFA in place, although it hasn’t yet been rolled out across the board yet.

It’s also recommended that universities encourage the use of strong, unique passwords, which makes them harder to guess and for cyber criminals to breach accounts, even if another account by the user has previously been stolen. 

In addition, it’s highly recommended that security patches are rolled out as soon as possible, so that devices, operating systems and software aren’t left exposed to known security vulnerabilities. 

MORE ON CYBERSECURITY

• This major ransomware attack was foiled at the last minute. Here’s how they spotted it
• The ransomware threat is getting worse. But businesses still aren’t taking it seriously
• Ransomware warning: There’s been another spike in attacks on schools and universities
• These Iranian hackers posed as academics in a bid to steal email passwords
• This company was hit with ransomware, but didn’t have to pay up. Here’s how they did it