How the UK’s education sector can tackle a new ransomware spike: Part I

by Jonathan Wharton-Street

Ransomware threats have been building for several years. With the barrier to entry lowered considerably thanks to “as-a-service” affiliate programmes, threat groups have thrived. Along with healthcare, the education sector was hard hit during the height of the pandemic, particularly in the UK. Unfortunately, the risks are no less acute in 2021: the National Cyber Security Centre (NCSC) has recently issued a new alert warning of a surge in attacks on schools, colleges and universities. 

From speaking with customers in the education sector, we understand that the lack of centralised visibility and management across hybrid environments and systems has put a strain on resource to manage the disparate systems / consoles by multiple vendors, but more importantly that this has created a risk of threats been missed or a delay in seeing them until too late. We also understand that 3rd party Research which brings in much needed revenue to Higher education customers, is an areas that most concerns them from the threat of ransomware.

In this first of a mini blog series on ransomware in the education sector, we take a look at the scale of the threat, and where resources should be best directed to mitigate it.

In the crosshairs
The education sector has become a favoured target for ransomware groups for several reasons. Institutions’ IT teams are seen as less well-resourced than many private sector organisations, and therefore more vulnerable to sophisticated attacks. Thanks to COVID-19 delays, they are also under tremendous pressure to remain open to help students catch-up on many lost hours of learning. When it comes to double extortion tactics, there’s also plenty of sensitive data that could be used as leverage to force a ransom payment—ranging from university research to financial and personal details on staff, students and parents. 

The NCSC claimed that recent attacks have also led to the loss of student coursework and COVID-19 testing data.

Another unique challenge facing the sector relates to network design. IT security teams must manage dispersed campus networks with large numbers of diverse users and devices—maintaining open access without inviting additional cyber-risk. The threat of unauthorised access multiplies further during periods of remote studying under lockdown.

What the report says
The NCSC warned of four key remote access techniques that education institutions must guard against:

Remote Desktop Protocol (RDP): the most common vector for network incursion, due to the fact that RDP was used extensively by home workers during the pandemic. Attackers phish, brute force or even buy credentials on the dark web to enable them to hijack these endpoints.

VPN vulnerabilities: the report pointed to numerous bugs in products by Citrix, Fortinet, Pulse Secure, Palo Alto Networks and other vendors which have been exploited over the past two years to access networks. Once again, the shift to remote learning and growing use of VPNs has driven up attacks.

Phishing: a tried-and-tested method for deploying ransomware and other malware, usually via malicious link or booby-trapped attachments.

Other vulnerabilities: It’s not just VPNs that are exposed to exploits. Unpatched devices running buggy software like Microsoft Exchange Server are also at risk of exploitation in ransomware attacks as well as legacy windows and Linux systems.

Once they have gained a foothold into education networks, attackers typically use legitimate tooling like Mimikatz, PsExec, and Cobalt Strike to move laterally and escalate privileges without setting off any alarms. According to the NCSC, scripting environments like PowerShell are also used to deploy ransomware more covertly, while backup and auditing devices are sometimes sabotaged to make data recovery more difficult.

Time for defence
It goes without saying that ransomware attacks are best prevented, or at least caught as early on as possible. Recent raids on the University of Portsmouth and the University of Hertfordshire caused major disruption for students lasting days, as well as reputational damage for the institutions themselves. Remediation, clean-up and lost teaching hours can also take their toll financially.

In the next part of this mini-series we’ll be taking a look at what schools, colleges and universities can do to mitigate the escalating threat, including how Trend Micro solutions can help and what best practice security guides you can follow.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.