Preventing ransomware attacks: What universities and school districts must do

Ransomware continues to be the biggest top-of-mind security threat for security professionals globally. More than 70 percent of organizations were hit by ransomware attacks in 2021, according to the 2022 CyberEdge Cyberthreat Defense Report — a staggering increase from 55 percent in 2018. If we focus on the education sector, the numbers are just as alarming.

According to Check Point Research, the education sector was the most targeted in 2021, averaging 1,605 cyberattacks per week – up by 75% when compared to 2020. Another study by Sophos, The State of Ransomware in Education 2022, points to 56% of lower education organizations and 64% of higher education organizations were impacted by ransomware in 2021.

These attacks shut down businesses, disrupt public infrastructure, and cost organizations billions of dollars in ransom payments at a time when the world continues to struggle with the affects of the global pandemic, geopolitical tensions, and other disruptions that range from supply chain issues to rising inflation.

Ransomware has become easier to execute and scale, and new digital payment methods such as cryptocurrencies make it easy to hide identities and bury a paper trail. In a recent study, 22 percent of cybersecurity professionals shared that ransomware readiness is their most important business priority, while nearly half (46 percent) indicate it is one of their top five business priorities.

The surge in these attacks can be attributed to a variety of factors:

Ransomware attacks are becoming more targeted.

Threat actors no longer have to rely on the inefficient “spray and pray” approach. Instead, they take a much more hands-on approach by creating an attack plan against a specific target. Social engineering allows them to gather volumes of data on specific targets and craft personalized content to entice a user or a group of users to click on a malicious link or download a malicious attachment.

Ransomware hides in plain sight.

Today’s ransomware attacks are sophisticated and evasive, leveraging seemingly innocuous technologies such as Java communications and VPNs to spread laterally throughout the network. Threat actors are targeting web browsers with a new category of threats, termed Highly Evasive Adaptive Threats (HEAT), which bypass traditional security defenses. These HEAT attacks can be used to deliver ransomware payloads and take advantage of today’s expanded attack surfaces — created largely by remote and hybrid users, students learning remotely, the modernization of apps, and the spread of Software as a Service (SaaS) platforms. HEAT attacks excel at bypassing traditional security solutions by hiding in plain sight.

Ransomware is extremely lucrative.

Threat actors aren’t content with the small fish anymore. Education institutions, large corporations, healthcare networks, utility companies, and even nation-states are primary targets that lead to massive paydays. Over the past two years, the average ransomware payment skyrocketed from $12,000 to $322,000 as targets shifted from individuals to large organizations with deep pockets, according to the 2022 CyberEdge Cyberthreat Defense Report. Unfortunately, the willingness of organizations to pay large ransoms has created a self-perpetuating cycle. The more that organizations pay, the more lucrative the attacks will be, attracting more criminals to the seemingly easy payoff.

The ransomware risk never goes away.

Once you’ve been infected, the risk of being exploited again never goes away. Threat actors aren’t satisfied with just keeping you out of your data or systems. They also request additional payments by threatening to expose sensitive data to the public or competitors. These are called double-extortion attacks, and the threat of getting hit again and again by the same event means that you are never really safe — even if you give in to ransom demands.

How to prevent ransomware

Preventing ransomware requires that universities and school districts shift from a traditional detect-and-respond approach to a Zero Trust mindset. This proactive, preventative approach safeguards mobile, distributed, and often unmanaged endpoints; stops the lateral spread of attacks on the network; and alleviates pressure on Security Operations Center (SOC) teams.

In addition, they can provide a boost to their security via isolation technology, which can act as an abstracted layer in the cloud between the Internet and users’ devices. All content is routed through the Secure Web Gateway (SWG), where it is executed in an elastic sandbox in the cloud. This prevents all code — whether malicious or not — from executing on endpoints, effectively cutting off any access a malicious actor has to the network. Given that many of us now spend around three-quarters of our day using a web browser, isolation can also protect users against HEAT attacks from delivering malicious payloads. All web communication can be authenticated in the moment, enabling a Zero Trust approach to security that protects devices, applications, and users wherever they are located.

Here are three ways that Zero Trust powered by isolation technology can help stop ransomware attacks:

1. Isolation automatically closes vulnerabilities.

Ransomware loves to take advantage of vulnerabilities in existing network configurations, such as open RDP ports and unsecured VPNs. Unfortunately, the expansion of attack surfaces means that it is virtually impossible for security teams to completely close off these entry points. They are too numerous, too distributed, and too often forgotten. With isolation technology, however, it doesn’t matter if these ports are closed or not, because all traffic — whether it is suspicious or not — is routed through the isolation layer in the cloud. Traffic is never executed on the endpoint, and therefore ransomware cannot grab a foothold into the network.

2. Isolation helps detect abnormal behavior.

Routing all traffic through an abstracted layer in the cloud gives the visibility needed to identify and stop abnormal behavior that, on the surface, may seem innocuous. For example, a user with the appropriate credentials should be able to access research materials or lesson plan information on a server. But what if the user is logging in from Albania? Or what if an administrator is attempting to download the entire payroll database to an unknown Google drive? Visibility into entities, where they are located, and the commands they are executing enable a Zero Trust approach to cybersecurity.

3. Isolation allows you to execute a recovery plan.

Most ransomware relies on the fallibility of humans. Someone has to click on a link. Someone has to visit a corrupted website. Someone has to enter their credentials into a false web form. When mistakes happen, it’s critical to have a recovery plan in place to assess the situation and determine the next best action. Answering questions such as “Can we recover lost data?”, “How will this impact operations?”, “Are we vulnerable anywhere else?”, and, most importantly, “Should we pay the ransom?” requires context and visibility into the network. Isolation technology makes this possible.

Take action today

Ransomware is a top concern among education today, and it will continue to vex security teams as threat actors leverage HEAT attacks to successfully deploy this malware. Taking a Zero Trust approach that’s powered by isolation technology and delivered through a SASE framework provides the best defense against these often-successful and disruptive attacks.