Ransomware is described by the BBC as computer viruses that threaten to delete your files unless you pay a ransom. Like other computer viruses, it usually finds its way onto a device by exploiting a security hole in vulnerable software or by tricking somebody into installing it.

According to the Verizon 2018 Data Breach Investigations Report (the Report), ransomware attacks have doubled since 2017, and education was reported as one of the top sectors in social breaches. In a wake-up call for schools, the report found that 68% of breaches took months or longer to discover, even though 87% of the breaches examined had data compromised within minutes or less of the attack taking place.

What is ransomware?

The CSO says that there are a number of ways ransomware can access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they're downloaded and opened, they can take over the victim's computer, especially if they have built-in social engineering tools that trick users into allowing administrative access.

There are several different ways attackers choose the organisations they target with ransomware. Sometimes it's a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses. On the other hand, some organisations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organisations with sensitive data may be willing to pay to keep news of a compromise quiet.

Some of the biggest ransomware attacks that schools will be familiar with from news accounts could include Petya (in 2016), WannaCry (in 2017) and Uiwix (late 2017).

Key findings from the report

The Report has found that social engineering (deceiving individuals into divulging personal information) regularly occurs, which is then used for the basis of identity fraud. Highly sensitive research is also at risk, with 20% of attacks motivated by corporate espionage. 11% of attacks also have “fun” as the motive rather than financial gain. And insider threats are one of the most common causes of ransomware attacks. This includes malicious employees or one in five breaches being caused by human error, including employees failing to shred confidential information, sending an email to the wrong person or misconfiguring web servers.

In the education sector, the Report confirmed that there were 101 breaches out of 292 incidents in the last year, with 81% of these attacks being from external sources and 72% of the attacks targeting personal details for the purposes of obtaining data for identity fraud.

The Report also found that 68% of breaches took months or longer to discover in schools, even though 87% of the breaches examined had data compromised within minutes or less of the attack taking place. Last year, the education sector witnessed one of the largest increases in data breaches, up by 103% over the previous half-year with an increase of over more than 4,000% in the number of records lost, stolen or compromised. Ransomware attacks can cripple a school’s network, and are often spread through phishing attacks proliferated through email.

The Report also outlined the techniques used by 90%-94% of ransomware attackers, including:

• web applications
• miscellaneous errors
• point of sale
• privilege misuse
• cyber espionage
• lost and stolen assets
• crimeware, and
• payment card skimmers.

With the release of the first quarterly report from the Office of the Australian Information Commissioner (OAIC) since the introduction of the Notifiable Data Breaches (NDB) Scheme, it has also been revealed that the top five sectors that notified the OAIC of eligible data breaches included health service providers (24% of notifications), legal, accounting and management services (16%), finance (13%), private education (10%), and charities (6%). And of those breaches notified to the OAIC, 44% involved a malicious or criminal attack like ransomware, indicating the importance for schools to implement proactive steps before a NDB occurs.

Next steps for schools

The Report said that while safety cannot be guaranteed, proactive steps can be taken to help keep schools from being victims. These include:

• stay vigilant - log files and change management systems can give you early warning of a breach. Additionally, don't install software or give it administrative privileges unless you know exactly what it is and what it does.
• make people your first line of defense - train staff to spot the warning signs and deal with personal data appropriately.
• keep data on a “need to know” basis - only employees that need access to systems to do their jobs should have it - this can also be referred to as enforcing the least-privilege user access (LUA) principle on all computer systems.
• patch promptly - this could guard against many attacks. This includes installing antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorised applications from executing in the first place.
• encrypt sensitive data - make your data next to useless if it is stolen.
• back up your files, frequently and automatically.
• use two-factor authentication - this can limit the damage that can be done with lost or stolen credentials.
• don’t forget physical security - not all data theft happens online.

And last but not least, schools should champion a culture of compliance by making sure that their partners, business process outsourcers and professional/technical service providers are compliant with all data security regulations, follow best practices and have a comprehensive incident response plan in place.