University ransomware attacks continue to rise in 2020. The mixture of a soft target and a large amount of personal data makes these institutions a treasure trove for bad actors. Michigan State University, University of California, San Francisco (UCSF), and Columbia College Chicago have all fallen victim specifically to NetWalker ransomware attacks over the past month. Netwalker is known to exfiltrate data and a large majority of the time gives a short deadline to either pay the ransom or they leak the information.
These attacks were similar in nature with what we can assume is very important private information being lifted from the university databases. The twitter account @ransomleaks released images of the data that was placed on NetWalker’s blog and it appears Michigan State did have sensitive information stolen. One piece that seemed to be true across these attacks was the lack of any incident response planning or preparation.
The responses to these attacks varied widely from school to school including downtime at the universities all the way to their public announcements. UCSF and Columbia College each had information on NetWalker’s Dark Web blog that has since been removed. Based on prior experience with Netwalker this leads us to believe they paid their ransom request. Michigan State, on the other hand, still has information on the blog. They publicly acknowledged they will not be paying the ransom, and they have since recovered business systems impacted by this attack.
Why is the higher education industry being targeted? Simply put, they hold a huge amount of sensitive student and government information that is extremely valuable on the dark web. As more and more students apply for graduate school, since most GRE application are being waived, universities and colleges hold more student data than ever before. This includes not only their basic information, but also Social Security numbers and even FASFA details. On top of this, the large majority of universities do not have proper incident response plans, or continuous monitoring in place to immediately detect and neutralize threats. Netwalker ransomware like many other ransomware variants typically begins as an email received into the environment that contains an attachment regarding current events such as Covid-19. This social engineering attempt is a basic attempt that has been utilized by bad actors throughout 2020 to increase the likelihood of clicking on malware. Being able to protect endpoints immediately after clicking the attachment is a critical layered defense for those times email spam filters can’t keep up. On top of this, having a 24/7 Security Operations Center monitoring these events for universities working around the clock, and many times across the globe, is critical for the success of these organizations. SpearTip predicts universities hit with ransomware will continue to grow throughout this quarter, and we have only seen the tip of the spear.
24/7 Breach Response: 833.997.7327