Enterprise ransomware has become so commonplace that it is rare that a day goes by that you don’t hear about the release of a new variant spreading across the globe.  With all of these attacks, it’s not surprising that organizations other than businesses have started to come under fire. A 12 months snapshot starting in 2016, has shown that education, most notably higher-education institutes, have been hit the hardest.

Cybercriminals look for easy targets when it comes to ransomware schemes.  Typically, ransomware finds its way into a business or organization because of human error, not because of a sophisticated delivery method.  Colleges are particularly susceptible because they often have independently run departments, each with disparate IT requirements.  For example, a computer sciences department is likely to have different security needs than a literary department.  Compounding this further, most campuses are built on an open-data culture.  Students are allowed to bring their own devices and connect to campus networks remotely; many colleges even put an emphasis on file-sharing to upload everything from essays to complex projects.  With hundreds of users connecting daily and no strong IT hierarchy, schools make for an easy target.

A screen capture of the recently circulated WannaCry Ransomware

Non-centralized IT is a bigger threat than many people realize when it comes to protecting any large organization.  A business with a centralized IT department will use the same operating system, the same email filter, and antivirus programs and employ the same back-up solutions.  All of these things mean that it is possible to keep employees up-to-date on system patches and if a problem does arise, it’s easy to roll back to a recent backup.  When you introduce variables into an organizations security, it becomes harder to keep track of all the interconnected systems and vulnerabilities can be ignored.  These shortcomings increase the chances that malware could penetrate at least one department and without a central IT department to correct the problem, it is likely to spread to other departments as well.

The second major failing of education security comes from the ease of launching a successful spear phishing campaign.  Spear phishing is the practice of sending targeted emails to an individual in order to either gain confidential information or to propagate malware.  Spear phishing campaigns aimed at businesses require a lot of effort from the perpetrator as knowledge about business hierarchy is often hard to acquire. In the case of schools, however, entire department staff rosters, complete with email addresses, are often freely available to anyone on the schools public website.  This makes it possible to target multiple departments with the same well-crafted email.  A malware payload disguised as a letter from the college dean could easily pass a cursory screening from multiple department heads and increases the odds of a successful attack.

Protection from ransomware is a hard thing to guarantee.  Accidental downloads are the most common culprit in the spread of malware and even the strongest security system can’t protect against human error.   That said, there are precautions that can be taken to limit malware exposure and reduce the chances of it spreading once already infected.

Whether your organization is a business or a college, a recovery plan should be of the highest priority.  Data backups should be done daily to multiple storage locations.  Cloud backups are useful and a great time saver, but it is always advisable to have a secondary offline backup option for emergencies.  Malware authors want a user to panic, but if you remain in control of your data, than forced ransomware becomes an inconvenience instead of a disaster.

Simple protective measures are often the easy to forget but can go a long way towards establishing a strong perimeter defense.  Website ad-blockers and email spam filters can weed out many less sophisticated attacks.  Other precautions such as read-only restrictions on file-sharing directories have gone a long way towards preventing the spread of infection on many college campuses.

Another priority should be to increase user assess security and restrictions on campuses.  Identity and Access Management (IAM) services are designed to grant specific access rights to individuals on a by-needs basis.  This means that parts of your IT infrastructure can be walled off from individuals that don’t need access to do their daily jobs.  When it comes to students, these systems can also help prevent the accidental spread of malware to critical systems and departments outside of their field of study.

Finally, if the worst case scenario does happen and your organization becomes infected, it’s important to address the problem quickly.  If you already have a backup solution in place, recovery should be possible with minimal disruption.  If your backup plan is insufficient or out of date, you should be aware that many security vendors keep lists of decryption tools for cracked ransomware.  Since ransomware changes all the time, these tools may not match your particular variant, but they can potentially help get your files back.  Regardless of the outcome of your own recovery attempts, you should never give into ransomware demands.  Paying a ransom in no way guarantees that your files will be unlocked, and even if they are restored, it makes you a bigger target for other criminals who now know you are willing to give into their demands.