Illinois-based Lincoln College was established during the U.S. Civil War. Since then it has weathered two world wars, the Spanish Flu, the Great Depression, the Great Recession and a devastating fire. But two things it couldn’t survive?
A ransomware attack and financial pressures tied to the impact of COVID-19 on its enrollment.
It’s a warning sign for academic institutions around the country that have been disproportionately targeted by ransomware attacks. That’s why some universities are now taking new and remarkable measures to protect themselves against the threat of ransomware attacks.
The Ransomware Attack
In a March letter posted online and authored by Lincoln President David Gerlach, he explained the school’s plight.
“The institution experienced record-breaking student enrollment in Fall 2019, with residence halls at maximum capacity,” he explained. But then, of course, “the coronavirus pandemic dramatically impacted recruitment and fundraising efforts.”
Thus the 157-year-old college was in an already precarious financial state when, in Dec. 2021, it fell prey to ransomware.
The attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections. All systems required for recruitment, retention, and fundraising efforts were inoperable.” In an interview with The Chicago Tribune last month, Gerlach admitted that the college paid their ransom – under $100,000 – to their Iranian hackers. They got their data back, but it took months longer to fully restore their IT systems.
Why Cybercriminals Target Schools
According to Emsisoft, over 1,000 U.S. schools were targeted with ransomware last year alone – more than any other sector besides healthcare.
Clearly colleges, many cash strapped like Lincoln, aren’t goldmines. So why are cyber attackers targeting the education sector so relentlessly?
Part of what makes schools attractive targets is the troves of unique and sensitive data they possess. As Edward Vasko, director at the Boise State Institute for Pervasive Cybersecurity, explained via email:
“The data captured and stored by schools includes not only personally identifiable information (PII) of students, faculty and staff, but also PII of parents, donors and other partners of the school. This treasure trove of data, if captured and held for ransom, can easily bring an institution to its knees.”
Then consider the attack surface. New students every year travel to and from school buildings all the time. They carry all kinds of personal devices (read: infection vectors), and access all kinds of different networks and data when they do. IT administrators are at a loss, because there’s no way around it.
“The data within commercial or private sector companies is typically only accessible to employees, and often on a ‘need to know’ basis,” James Turgal, vice president of Cyber Risk, Strategy and Board Relations at Optiv, pointed out via email.
“University data is shared with academics all over the world, along with students and professors who access resources on their own – more often than not on unpatched devices, with universities maintaining little or no control over those personal devices,” he said.
There’s also the problem of pain tolerance. As Lincoln demonstrated, recovery from ransomware attacks is a monthslong process, even after a ransom is paid.
“And while any business would struggle to survive after losing a quarter of the year,” Ray Steen, chief strategy officer at MainSpring, told Threatpost. “Schools run on a very tight schedule. That is part of the reason they are targeted by ransomware actors, who assume that administrators will be eager to pay a ransom to keep classes going.”
Immersive Labs found that educational institutions pay ransoms 25 percent of the time – more than any other sector.
How Schools Can Defeat Attackers
Schools face many unique cyber challenges, yet lack the resources to defend against them.
There’s no way to solve the first half of that problem without fundamentally hindering how schools operate. That’s why some academic institutions are focusing on the second half.
“One option open to schools and universities without significant endowments is to pool their resources and partner with other entities,” wrote Scott Shackelford, professor in the Kelley School of Business at Indiana University (IU), via email. IU runs a cyber response center called OmniSOC.
OmniSOC pools resources from nearly a half dozen universities, such as Rutgers, Northwestern and Purdue. “OmniSOC monitors data and aggregates threat activity and intelligence across all member networks to identify threats faster, which then gets shared with member networks and on-campus teams for further investigation,” Shackelford said.
Boise State University’s “Cyberdome” offers something similar. The program operates as a centralized cyber response hub for schools and other small and rural organizations across the state of Idaho. Its goal, according to Vasko, is “to protect rural communities such as schools that often cannot afford to deploy, hire, and maintain critically needed security tools and personnel.”
Cooperation among groups of academic institutions may be the answer to academia’s ransomware problem. Because in the face of wealthy, well-resourced and sometimes state-sponsored threat actors, one school can hardly be expected to defend itself.
Lincoln College learned that lesson the hard way.