FBI Issues Warning of Increased Ransomware Targeting Educational Institutions
Research Institutions & Higher Education and Data Privacy & Security 04/08/21 Meghan C. O’Connor
Recently the Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) issued an Advisory warning of a recent increase in ransomware targeting higher education institutions and K-12 schools. The cybercriminals are requesting payments in exchange for decrypting data as well as threatening to sell personal information (e.g., SSNs).
The Advisory describes the technical details and indicators of compromise, including that specifically PYSA ransomware attacks are gaining unauthorized access to educational institutions’ networks by compromising credentials and/or through phishing emails. Cybercriminals conduct network reconnaissance, install open source tools, deactivate antivirus capabilities on the network, and then deploy the ransomware. The cybercriminals exfiltrate files from the institution and encrypt connected devices and data, which renders critical files, databases, virtual machines, backups, and applications inaccessible to users.
Cybercriminals have been exfiltrating employment records, payroll tax information, and other data that could be used to extort educational institutions to pay a ransom. The stolen data may be uploaded to a cloud storage and file sharing service.
The FBI does not recommend paying ransoms, as it emboldens and encourages more criminal conduct. However, the FBI acknowledged that educational institutions may decide to pay a ransom after determining that limited options exist. The FBI notes that there is no guarantee that paying ransoms will result in the return of data.
The FBI suggests that educational institutions put in place mitigation actions, including:
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organization.
- Disable hyperlinks in received emails.
- Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
For additional questions on this Advisory or your data privacy and security program generally, contact your Quarles & Brady attorney or:
- Meghan C. O’Connor: (414) 277-5423 / [email protected]