Malicious “ransomware” attacks — where a hacker takes control of the victim’s information systems and encrypts data, preventing the owner from accessing it until the victim pays a sum of money — are on the rise against colleges and universities. Higher education institutions are well-advised to increase their efforts to defend against this particularly damaging form of hacking.
In December 2016, Los Angeles Valley College, a member of the California Community College system, paid almost $28,000 to retrieve stolen data from an unidentified ransomware attack. Similarly, the University of Calgary in June 2016 paid $16,000 to recover stolen emails. These sums drastically exceed the FBI’s Internet Crime Complaint Center’s estimated fee range in 2015 of between $200 and $10,000. This suggests that ransom fees may continue to increase.
Ransomware attacks on data increased four-fold in 2016, estimated by the United States Justice Department as approximately 4,000 attacks per day in the United States. The increase in attacks has largely been attributed to victim compliance with hacker demands.
The retail and healthcare industries have been identified as popular targets due to the sensitive and valuable data they possess. Surprisingly though, reports for 2016 indicate the education sector is most targeted by ransomware, with 13% of all higher education institutions experiencing ransomware attacks on their networks in 2016, according to a report from Bitsight Insights. This rate is higher than in other targeted industries: 5.9% of government, 3.5% of healthcare, and 3.2% of retail.
“Campus IT networks are generally of open-nature with broad use of social media by students and employees. Further, there are often limited network controls in place, compared with other targeted industries. As a result, campus networks are both vulnerable and enticing for hackers,” Principal Monica Khetarpal explained. A ransomware attack can disrupt computers, faculty and student networks, online classes, email, and even voice mail systems. Higher education institutions have become particularly vulnerable to a form of ransomware attack that infects the data system through malware found in email — known as “spear phishing.” Hackers disguise malicious emails with language that appears personalized and legitimate, containing a link or attachment.
How can I protect my institution from an attack?
Prepare. Prepare. Prepare.
Start with the right team. A key component of the team will be either the internal IT department or a third party vendor that provides IT services. However, these professionals are not always well-versed in data security or the latest techniques used by bad actors to access systems, or in the latest strategies to recovery data encrypted by hackers. The IT department/third party vendor may say, “We got this,” but the stakes are too high to not verify the team’s preparedness to handle ransomware and other forms of malware. Get help if necessary to gauge whether the IT team has all of the right capabilities.
Secure the systems. With the right team in place, steps that should be taken to stop an attack before it happens include the following:
- Conduct a risk assessment and penetration test to understand the potential for exposure to malware. This includes understanding the websites visited by users on the campus system and their other activities online. This is particularly important for a higher education institution because of the wide variety of social media used by students.
- Implement technical measures and policies that can prevent an attack, such as endpoint security, email authentication, regular updates to virus and malware protections, and intrusion prevention software and web browser protection. Monitor user activity for unauthorized and high risk activities.
Make the student body, faculty, and staff aware of the risks and the steps they need to take in case of an attack. In many cases, campus network users are unaware of these kinds of attacks and how they can occur. Education can be a critical prevention tool. This include the following:
- Educate faculty, administrators, and students on how to recognize phishing attacks and dangerous sites — say it, show them, and do it regularly. On campuses, this should include showing students and faculty how to identify unsolicited links and attachments in emails. It may help to explain that they can be victims, too. For example, at Portland State University, hundreds of students were attacked by ransomware sent through email over spring break. One student was unable to access his dissertation paper due to the attack. With no backup version saved, he was forced to pay a $600 ransom to retrieve his stolen data.
- Instruct them on what to do immediately if they believe an attack occurred. This might include notifying the IT department, disconnecting their computer from the campus’s network, and other measures.
- Also instruct them on what not to do. For example, deleting system files may make it more difficult, if not impossible, later on to forensically determine the source of the problem and what happened.
Maintain backups. This is the simplest method for preventing the ill effects of an attack. Back up data early and often, and keep backup files disconnected from the network. Certain ransomware can detect backups and infect them with malware as well, so it is important that the backup is kept offline. Institutions that can rely on backups to be up and running quickly, without being forced to cooperate with (or pay) the ransomware attacker, are in a much better position to remediate the attack.
Develop and practice a “Ransomware Game Plan.” A higher education institution already should have incident response plans that address a number of issues, including breaches of personal information. Key components in such a plan may include the following:
- Identify the internal team (e.g., vice presidents for administration and student affairs, academic leadership, general counsel, and IT staff) and the allocation of responsibilities.
- Identify the external team (e.g., insurance carrier, outside counsel, forensic investigator, and public relations) and involve them in the planning processes before an attack occurs.
- Outline steps for continuity on campus during the attack, including using backup files and new equipment, safeguarding systems, and updating staff, students, and faculty as necessary. This may mean restoring the network temporarily on a limited basis, for example, making phones operational, but not voice mail, rerouting online courses to an external site, and limiting email access in infected areas of the campus.
- Plan to involve law enforcement and other agencies as applicable, such as the FBI, Internal Revenue Service, or Office for Civil Rights. This includes making contacts before an attack, which may help expedite access to assistance in the event of an attack.
- Plan to identify, assess, and comply with legal and contractual obligations, including statutory and contractual notification obligations based on the nature and extent of the access to information.
- Finally, practice the plan with internal and external teams and review and update the game plan, including after an incident to improve performance.
How should an institution respond to an attack?
Consult legal counsel. Ransomware attacks may trigger obligations under federal and state privacy laws, such as HIPAA and state breach notification laws. They also may require an affected institution to comply with other regulatory and contractual requirements. Consulting an experienced attorney upon discovery of a ransomware attack will help guide the institution through an expedited and appropriately privileged investigation, as well as to ensure the organization complies with applicable legal requirements.
Notify cyber liability insurer. This step is essential not only to ensure applicable coverage, but also because the insurance contact likely will be able to provide valuable early-stage guidance, such as on retention of qualified data security professionals to investigate the ransomware incident and on implementation of appropriate measures to mitigate existing and future risk.
Investigate the incident. Internal or outside data security professionals should immediately launch (and document) an investigation of the incident at the direction of counsel. This investigation should include, at minimum, analysis of:
- When the incident occurred.
- The methods the hackers used to carry out the attack, including the attributes of the malware involved.
- Which systems were affected.
- The nature of the data affected, e.g., was protected health information (“PHI”) or personal information accessed or acquired. (Most state breach notification laws define personal information as the affected individual’s full name, or first initial and last name, in combination with any of the following data elements: (i) social security number; (ii) government identification card number; or (iii) account number or credit/debit card number with any required security code, access code, or password.)
- The states in which the individuals whose data was affected work or reside.
- Whether there is evidence that the affected data was exfiltrated to the attacker’s servers or elsewhere.
- Whether the attack is completed or ongoing; if the latter, whether additional systems have been compromised.
- What mitigation measures were and are in place. For example:
- Were the affected files encrypted, and, if so, is there evidence that the hackers successfully decrypted those files?
- What data backup, disaster recovery, or data restoration plans were in place?
- What post-discovery steps were taken to prevent continued or future acquisition, access, use, or disclosure of the compromised data?
Responding to Ransom Fee Demands
Although it is tempting to simply pay the ransom and move on, there are serious risks to this approach. Payment of the ransom fee is unlikely to make the problem disappear. There is no guarantee the institution will regain full access to its data after the ransom is paid. Moreover, the institution must evaluate whether the ransomware attack triggered legal obligations under federal or state privacy laws or other regulatory or contractual requirements.
Determining the institution’s legal obligations in responding to a ransomware attack requires a fact-specific inquiry. For institutions with HIPAA obligations, for example, guidance from the Department of Health and Human Services indicates that a ransomware attack is presumed to be a breach triggering HIPAA obligations, unless the affected organization can demonstrate that there is a low probability that PHI has been compromised. This can be particularly complicated for a higher education institution where often only parts of the institution are subject to HIPAA regulations.
Further, during some ransomware attacks, hackers do not simply block the user’s access to its data, but also exfiltrate that data to external locations, or destroy or alter it. Accordingly, institutions subject to the data breach laws of any state may be required to take certain actions in the event of a ransomware incident.
In addition, under the data breach laws of certain states (such as New Jersey, Connecticut, Florida, Kansas, and Louisiana), unauthorized access to personal information constitutes a breach, even absent evidence that the personal information accessed actually was acquired or exfiltrated from the system. Institutions whose affected students and employees study or work in these states (or have returned home and are accessing the campus network remotely) thus face increased risk that a ransomware incident will trigger breach notification obligations.
Incidents of ransomware and similar attacks show no sign of slowing in 2017 and beyond. Colleges, universities, and all educational institutions are custodians of sensitive personal information of students, faculty, and employees, as well as vast amounts of data critical to advancing the institutions’ mission. Accordingly, these institutions must take steps to plan for and respond to such attacks appropriately in the unfortunate event that they occur.