In a previous blog, we delved into the threat of Vice Society, a ransomware group that specifically preys on security vulnerabilities within the education sector. However, Vice Society is only one out of several other ransomware operators that have been targeting educational institutions. Strains such as LockBit, PYSA, Ryuk, Clop, Medusa, AlphV, AvosLocker, and many more, have been detected in cyberattacks targeting the sector in just the last couple of years. Furthermore, in 2022, a 30% increase in ransomware being involved in data breaches impacting education was spotted, which is a significantly higher increase compared to breaches in other sectors.

What makes education a lucrative target?

Since 2021, around four out of every ten attacks claimed by Vice Society were aimed at schools, universities and other higher learning institutions, making education by far their most targeted sector. This figure is based on an analysis of posts on Vice Society’s leak site following someone either refusing to pay them, offering a payment they deemed too low or collaborating with authorities. Other targeted sectors include healthcare, state and local governments, manufacturing and professional services, as well as wholesale and retail companies and organisations in the energy and utilities industry.

Vice Society’s repeated attacks against education sector are mainly driven by it being an easy and lucractive target for cybercriminals for several reasons.

Insufficient resources

Insufficient funding and a lack of budgeting for systems and security solutions has resulted in a large number of unpatched legacy systems. The education sector also suffers from inadequate and outdated security tools, relying on traditional security solutions that aren’t equipped to combat the new techniques threat actors use to conduct their attacks.

For example, living off the land techniques – where threat actors use legitimate programmes and processes already within a target’s environment to carry out an attack – can circumvent traditional signature-based detection tools. Such tools are based on unique identifiers of malicious code, which won’t work in the case of attackers are leveraging legitimate tools and processes, as was seen with Vice Society.

Numerous vulnerability points and high-value data

Furthermore, during the pandemic, virtual and remote learning tools became a necessity, and together with the large number of personal devices brought in by staff and students, educational institutions are now faced with an extremely broad attack surface. This has increased the potential entry points for cyberattackers to exploit, making it even more challenging to secure the entire network and protect sensitive data.

Educational institutions also hold a great deal of highly sensitive data, including personal and family information, health records, academic records and information relating to children and minors, as well as intellectual property research and proprietary intelligence. The serious consequences of a breach, and the fact that most schools are poorly prepared against an attack, mean there is also a higher chance of a pay-out.

Lastly, there is often also a gap in adequately trained cybersecurity personnel, or the ability to train them, on top of a general lack of cybersecurity awareness in the education sector.

Key strategies for ransomware resilience

Vice Society and other similar ransomware groups present an undeniable threat to the education sector, but there are proactive measures organisations can take to fortify their defences. The first step would be to raise cyber awareness and educate staff and students on the potential threats that could target them. The top of the list should be how to spot phishing emails, as they are often the initial access point for cyberattacks, tricking users into revealing sensitive information or clicking on malicious links.

Next, having separate networks for staff and students makes it harder for malicious actors to move laterally and affect other systems. Creating a barrier can restrict direct communication between networks, so that even if a device or user account on one network is compromised, it’s more difficult to compromise the other.

Multi-factor authentication can also make it harder to breach accounts, but it’s equally important to review existing security measures and ensure high quality controls are in place across all network endpoints, including computers, servers, routers, and any other endpoints that connect to the network. Organisations should also understand all the different routes threat actors could take to identify and address any potential vulnerabilities or weak points that threat actors could exploit. Additionally, flaws in software, operating systems, or applications can serve as a common entry point for attackers, including groups like Vice Society. Consequently, implementing effective vulnerability management and patching is key.

Next, it’s crucial to have up-to-date, tested and immutable offline backups –backups that threat actors won’t be able to access and encrypt as well. Maintaining data backups enables organisations to get back up and running as quickly as possible to minimise disruption following an attack.

Likewise, educational institutions should develop and test an incident response plan. If there isn’t a team in-house with this capability, it is worth considering investing into an incident response retainer. Developing and testing a business continuity plan should also go hand-in-hand with the incident response plan. Lastly, the education sector should proactively hunt for threats – a reactive approach is not enough. Ransomware groups like Vice Society are continuously changing their tactics and new groups and ransomware variants are emerging constantly. Staying ahead of the curve by proactively tracking ransomware threats is essential.

Knowledge is power – intelligence-led cyber defence

Although it seems like the education sector has a target painted on its back, when it comes to cyber ransoms, it’s important to remember that these groups don’t discriminate. Any organisation with negligent security and access to valuable data is an attractive candidate for these malicious actors.

Having the latest knowledge and accurate intelligence about newest ransomware strains and phishing tactics, or recent data breaches and attacks, enables informed decision-making and effective risk mitigation. In the face of ever-evolving tactics by groups like Vice Society, staying up to date on these developments is crucial for organisations looking to protect against these attacks. By combining essential best practices with timely intelligence, organisations can take a proactive stance against these dynamic threats.

Click here to learn how you can unlock actionable intelligence faster.