Lincoln College closure a testament to the threat posed by ransomware

June 9, 2022
Experts say incident should serve as a wake-up call to schools and organizations writ large

Last month, Lincoln College, a predominantly Black institution in Illinois, announced that it would be shutting its doors more than 150 years after it first opened due to a combination of the lingering impacts of the Covid-19 pandemic and a ransomware attack last December that caused irreparable damage to its computer networks.

Over the last several years, ransomware incidents, in which malicious actors gain access and encrypt the data of individuals or institutions until they are paid a predetermined sum, have plagued organizations of all sizes. Just last year as the country was still grappling with skyrocketing cases of the coronavirus, a ransomware attack against Colonial Pipeline disrupted the distribution of gasoline up and down the East Coast. That was soon followed up with an attack against JBS, one of the largest meat processing companies in the country, which caused further supply chain headaches.

However, schools – both K-12 campuses along with colleges and universities – have been a favorite target of cybercriminals. In fact, according to a report published earlier this year by anti-virus software provider Emsisoft, there were 88 ransomware attacks throughout the education sector in 2021, 62 at K-12 school districts and 26 colleges and universities.

According to David Murphy, Manager, Cybersecurity at consulting firm Schneider Downs, these incidents demonstrate the importance of having good disaster recovery plans in place because even if a school decides to pay up rather than lose access to their systems, there is no guarantee that they will be returned intact. In the case of Lincoln College, the school reportedly paid a $100,000 ransom to the hackers, but they were ultimately unable to fully recover from the attack.

“Even if you pay the money to an attacker and you get a key to decrypt the data, sometimes that key doesn’t always work or the data maybe corrupted, so that is something to keep in mind,” Murphy explains.

Aside from the ransom itself, Saryu Nayyar, Founder and CEO of cybersecurity firm Gurucul, says there are a slew of other costs that must be taken into consideration stemming from these attacks as well.

"The impact of ransomware on relatively smaller organizations can be catastrophic. A 157-year-old institution already hampered by the impact of the pandemic having to shut down during a critical period due to ransomware is tragic,” she says. “Ransomware has a much broader impact to business than simply the payment to restore services. There are plenty of other costs related to stolen and resold data, business availability and employee downtime that are virtually impossible to predict upfront but with no less impact.” 

Ransomware Mitigation Measures

Murphy recommends that schools invest in vulnerability management tools to be better aware of what systems are potentially exposed to limit those threats and to also implement good user authentication solutions. “Anytime you have a log-in, you should have to authenticate using a secondary device or a code to login to whatever it is you are trying to access,” he explains.

Additionally, Murphy says that user awareness training and helping people recognize the signs of phishing emails and the like can also prove valuable in preventing ransomware and other cyberattacks.

“The security systems that they have in place to protect users against phishing or whatever, they’re not infallible so you have to be aware of what a phishing email looks like to be able to have end users identify that,” he adds.

According to Nayyar, there are also a variety of other tools available that can mitigate against the various schemes of malicious actors.

“Organizations need to invest in the latest threat detection, investigation and response tools that can empower even smaller teams to rapidly detect attack campaigns such as ransomware early in the kill chain,” she says. “This requires advanced analytics and trained machine learning (ML) with out-of-the-box detection capabilities to automate manual tasks and accelerate security analyst or engineer efforts before data is stolen and/or encrypted as a precursor to ransomware detonation." 

Attacks Evolve 

As bad as traditional ransomware attacks are, Murphy says one of the newer trends among cybercriminals is what is referred to as “double extortion” in which not only are a school or business’ files encrypted, but they are also exfiltrated by the perpetrators, who subsequently threaten to release that data publicly. 

Regardless of whether the attack falls into a traditional or non-traditional category, however; Murphy says schools need to be prepared to address the risk. 

“Understand what the risk is out there to your institution and also verify what your cyber insurance policy actually covers. Some of them cover the forensic investigation, some of them cover the ransom payment and some of them cover the disaster recovery effort up until a certain amount,” he says. “There are a lot of different things that you can do to prepare yourself for an incident. Another thing that I have been recommending to clients is having response plans prepared, so knowing when and how to respond. And lastly, make sure you have outside help. Some of these institutions may not have the in-house expertise or the resources to hire a full-time security practitioner, so they can find that help through a third party.”

Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].