Ransomware is described by the BBC as computer viruses that threaten to delete your files unless you pay a ransom. Like other computer viruses, it usually finds its way onto a device by exploiting a security hole in vulnerable software or by tricking somebody into installing it.
According to the Verizon 2018 Data Breach Investigations Report (the Report), ransomware attacks have doubled since 2017, and education was reported as one of the top sectors in social breaches. In a wake-up call for schools, the report found that 68% of breaches took months or longer to discover, even though 87% of the breaches examined had data compromised within minutes or less of the attack taking place.
The CSO says that there are a number of ways ransomware can access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they're downloaded and opened, they can take over the victim's computer, especially if they have built-in social engineering tools that trick users into allowing administrative access.
There are several different ways attackers choose the organisations they target with ransomware. Sometimes it's a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses. On the other hand, some organisations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organisations with sensitive data may be willing to pay to keep news of a compromise quiet.
Some of the biggest ransomware attacks that schools will be familiar with from news accounts could include Petya (in 2016), WannaCry (in 2017) and Uiwix (late 2017).
The Report has found that social engineering (deceiving individuals into divulging personal information) regularly occurs, which is then used for the basis of identity fraud. Highly sensitive research is also at risk, with 20% of attacks motivated by corporate espionage. 11% of attacks also have “fun” as the motive rather than financial gain. And insider threats are one of the most common causes of ransomware attacks. This includes malicious employees or one in five breaches being caused by human error, including employees failing to shred confidential information, sending an email to the wrong person or misconfiguring web servers.
In the education sector, the Report confirmed that there were 101 breaches out of 292 incidents in the last year, with 81% of these attacks being from external sources and 72% of the attacks targeting personal details for the purposes of obtaining data for identity fraud.
The Report also found that 68% of breaches took months or longer to discover in schools, even though 87% of the breaches examined had data compromised within minutes or less of the attack taking place. Last year, the education sector witnessed one of the largest increases in data breaches, up by 103% over the previous half-year with an increase of over more than 4,000% in the number of records lost, stolen or compromised. Ransomware attacks can cripple a school’s network, and are often spread through phishing attacks proliferated through email.
The Report also outlined the techniques used by 90%-94% of ransomware attackers, including:
With the release of the first quarterly report from the Office of the Australian Information Commissioner (OAIC) since the introduction of the Notifiable Data Breaches (NDB) Scheme, it has also been revealed that the top five sectors that notified the OAIC of eligible data breaches included health service providers (24% of notifications), legal, accounting and management services (16%), finance (13%), private education (10%), and charities (6%). And of those breaches notified to the OAIC, 44% involved a malicious or criminal attack like ransomware, indicating the importance for schools to implement proactive steps before a NDB occurs.
The Report said that while safety cannot be guaranteed, proactive steps can be taken to help keep schools from being victims. These include:
And last but not least, schools should champion a culture of compliance by making sure that their partners, business process outsourcers and professional/technical service providers are compliant with all data security regulations, follow best practices and have a comprehensive incident response plan in place.