Two community colleges were victims of ransomware attacks in the last week, the latest in a string of costly cyberintrusions at American higher education institutions.
The latest institutions to be targeted—Butler County Community College in Pennsylvania and Lewis and Clark Community College in Illinois—remain closed as officials grapple with the aftermath of the attacks. Posts on a Lewis and Clark Facebook page make clear the scale of the attack as students vented about being shut out of their email, Blackboard, laptops and all other platforms requiring a college log-in.
The incidents are part of a rising wave of ransomware attacks targeting American colleges and universities. According to Brett Callow, a threat analyst with the cybersecurity solutions company Emsisoft, 26 of 80 total ransomware incidents in the U.S. education sector so far this year targeted colleges or universities. There were 26 total incidents in 2020, up from just 18 in 2019. Many but not all of these incidents included data breaches, Callow said.
It is not surprising that community colleges are being targeted, Callow said. Most, if not all, of the institutions have cybersecurity insurance, and many ransomware gangs find a sector that pays off and return to it over and over. The fact that many community colleges are struggling financially and may lack state-of-the-art cyberdefenses also makes them an attractive target, Callow said.
Callow said it can take months and even years to recover from ransomware attacks. He cited a 2020 ransomware attack on Baltimore Public Schools, which has so far cost the district north of $8 million to fix. Last year, the University of California, San Francisco, paid a ransomware gang $1.14 million to unlock sensitive information it encrypted after an attack on its medical school. The University of Utah paid a ransom of $457,000 in August 2020 and is believed to have been a victim of the same NetWalker ransomware that targeted UCSF. Sierra College, a community college in Northern California, was the victim of a ransomware attack in May. Michigan State University and Columbia College Chicago also have recently been victims of ransomware.
The FBI’s Cyber Division released an advisory notice in March, which warned that criminals using malicious software known as PYSA ransomware were targeting education institutions and attempting to extort them at an increasing rate. The FBI warning said criminals typically exploit phishing emails and stolen log-ins to access IT networks, steal sensitive information and block access to systems. They only restore access when the targeted institution pays up. In many cases, these attackers also steal data and threaten to sell it if the victim does not meet their demands, the FBI said.
According to a report by Unit 42, a division of the cybersecurity company Palo Alto Networks, the average ransomware demand in 2019 was $115,123. Callow said that number is rising quickly.
The FBI advisory issued earlier this year advised network administrators to use multifactor authentication, regularly patch software and systems, and encourage their users to avoid public Wi-Fi networks to avoid such attacks.
Callow said ransomware attacks are not difficult to pull off and require very little training to execute.
“The barriers to entry remain very low,” he said. He added that most ransomware attacks succeed because hackers have access to compromised credentials.
Butler County Community College announced Sunday that it had been hit by the ransomware attack and closed the campus through at least Tuesday so databases, hard drives, servers and other devices affected by the attack could be restored.
A press release said the college’s information technology division noticed widespread technical difficulties last week and officials now believe the attack began Nov. 19.
The ransomware attack at Lewis and Clark Community College began last Tuesday. The college will remain closed this week. Frustrated students have taken to the institution’s Facebook page to complain. Most worried about changes to Christmas break schedules, compromised personal data or being penalized for not turning in assignments.
It was not possible to reach officials at either institution for comment because phone lines and websites were down.
The Thanksgiving timing of the recent spate of attacks is no coincidence, experts say. The U.S. Cybersecurity and Infrastructure Security Agency noted that ransomware attacks often occur on holiday weekends. An August report by the agency said ransomware attacks are a growing problem and cited 2,084 ransomware complaints from Jan. 1 through July 31 of this year, a 62 percent increase compared to the same time period last year.
An official at a community college who did not want to be identified, lest her institution be targeted by cybercriminals, said her college recently simulated a ransomware attack to be better prepared. She said university IT and public safety officials worked with the FBI and state law enforcement to develop the simulation and help department leaders across the university understand how ransomware attacks unfold. Among the issues discussed were how large ransoms tend to be (not very large), how to react in the immediate term when systems go down and how to respond in a way that meets the criteria of insurers. She said the main lesson learned was the importance of having backup operational capacity in the form of alternate workstations, internet access providers or other tools that can’t be shut down when the rest of the network is locked.
The session covered “what should we be prepared for,” the official said. “That’s what they built a scenario on—something realistic that local law enforcement told us we could face … Is this something we can handle? Or do we elevate this and take it to the next level? And what do we do?”
Davis Jenkins, senior research scholar with the Community College Research Center at Columbia University’s Teachers College, said the ransomware attacks come at a time when community colleges are already reeling. He noted that enrollment is down an average of 15 percent across the sector, making the already financially strapped institutions even more vulnerable to state funding cuts in the months ahead.
“Community colleges are underresourced generally,” Jenkins said. “Protecting against cyber[attack] is difficult. It’s difficult for some of the world’s most capitalized companies, spending enormous sums on this, and cities and other higher capitalized public institutions are spending enormous sums.”
Community colleges don’t have similar financial resources, and expensive ransomware attacks are the last thing they need, Jenkins said. Compared to larger institutions, community colleges lack both the money and the human capital to effectively fight cyberattacks.
“Community colleges generally and smaller institutions generally struggle with coming up with not only the money, but even more so the staff to build and maintain an up-to-date IT infrastructure needed for instruction and student services,” Jenkins said. “Having to hire expertise in cybersecurity has only added to that burden in that community colleges are competing not only with better-resourced universities [but also] with other public and private employers.”