Howard University in Washington, D.C., is still recovering after a ransomware attack ripped through its network last month, grinding online teaching to a halt. The potential number of victims? 11,000. If you missed it, no one would blame you. Hackers have launched attacks at 5,366,886 educational organizations in the past 30 days alone1 (61% of the entire ransomware pie.)
This is disturbing for a number of reasons and not all of them as obvious as you might think.
It isn’t common knowledge outside the cybersecurity community just how woefully outmatched much of our critical infrastructure is against the latest breed of cybercriminals. The fact that Google has just put skin in the game with its newly launched Google Cybersecurity Action Team is either great news or a dire warning that we’ve reached the point of no return. But yes, our school networks and the legacy systems they run on are virtually open books to fraudsters, which has made them soft targets.
In 2020, ransomware attackers hit approximately 1,740 schools in the U.S. Estimates of the damage vary, but some experts believe costs due to downtime and recovery could be as high as $6.5 billion.2
While the sheer number of attacks seems to be leveling out, this isn’t necessarily good news for higher ed, which may be looking at a potentially scarier ransomware threat landscape moving into 2022. This is where criminals would be targeting fewer institutions for much higher payouts.
That’s just what we saw in April 2021, when cybercrooks targeted Broward County Public Schools in Florida, asking for an astronomical $40 million ransom. (Broward County didn’t pay up, and the hackers ended up making good on their threats to publish over 26,000 sensitive files.)
Cyber thugs aren’t targeting schools and colleges because it’s easier to break into their systems. When 21-year-old John Binns sailed past T-Mobile’s feeble defenses last month, it underscored the fact that in 2021, cybersecurity is still a hacker’s market. And their reasons for targeting colleges are much more nefarious.
Students usually have clean credit and aren’t likely to be on the lookout for identity theft. That makes their sensitive details (driver’s license, phone, and Social Security numbers) very valuable commodities on the dark web, where any fraudster who buys them can get away with a lot before they’re caught.
If this does happen, the damage can be long-lasting, far-reaching, and extremely difficult to undo.
And that was before PYSA.
In March 2021, the FBI’s Cyber Division finally flagged a particularly malevolent ransomware variant that seemed to be targeting school systems and higher ed.3
PYSA (Protect Your System, Amigo) wasn’t actually new. Cybersecurity experts first spotted it back in 2019. But it was worrying because it was considered open source ransomware as a service, or RaaS. (Yes, like software as a service, but for criminals.) That meant that any low IQ grifter with a bitcoin wallet could buy the bug on the dark web, customize it, and, after busting through flimsy network security, launch it to catastrophic effect.
If this is conjuring up images of a California wildfire, the analogy isn’t that far off. Like an arsonist who might not know what a fire is but can use a book of matches, code-dumb PYSA hackers are virtually unstoppable.
From Broward County to Howard University, the pseudo hackers follow the same MO. They “exfiltrate” the data they want, lock it up, and then threaten to release it on the dark web (or destroy it) if their ransoms aren’t paid.
The consequences for universities that don’t comply have been steep. Some, like Howard, have been forced to shut down (sometimes for days or weeks). Others have lost valuable research (University of California, San Francisco, June 2021) or seen tens of thousands of student records compromised (University of Syracuse, an early PYSA victim in 2019).
As cybersecurity experts have been warning for years, our critical infrastructure needs a massive overhaul. But individuals can do their part, too. Here’s a quick five-point guide to protecting your family from PYSA and worse.
Even for hardened cybersecurity experts, 2021 has been a pretty crazy year. A bug that targets schools with dark web blackmail hasn’t made it any easier.
But there is light at the end of this grim-looking tunnel now that Google has joined the fight against ransomware with its generous $10 billion infusion of tactical aid for organizations with leaky hardware and subpar cybersecurity.
If schools and colleges get better at forecasting attacks, and families do their part to limit the spread of malware, we can, and will, make life a lot less rosy for wannabe PYSA hackers and their rent-a-bugs.
Microsoft. (2021).Global threat activity. Microsoft Security Intelligence.
Bischoff, Paul. (2021, Aug 31). Ransomware attacks on US schools and colleges cost $6.62bn in 2020. Comparitech.
FBI. (2021, Mar 16). Increase in PYSA Ransomware Targeting Institutions. FBI Flash.