The word “ransom” usually brings to mind harrowing kidnappings by armed thugs. But, in the digital age, it’s taken on a new meaning with ransomware: malicious software, or malware, targeting personal computers or computer net-works at places like banks, hospitals – and uni-versities. Instead of people, data are being held hostage, and the perpetrators are skilled hackers that are locking up critical files and demanding payment to have them safely restored.
Over the past year, stories of ransomware attacks at universities from coast to coast have made headlines. While postsecondary institutions have weathered cyberattacks before, ransomware presents a new and evolving threat, said Teju Herath, an associate professor of information systems at Brock University. She said universities tend to be more at risk because their emphasis on academic freedom makes their networks more open by nature, and thus more vulnerable to hacking. And, like banks and hospitals, universities hold a wealth of personal and confidential information in their systems that hackers can exploit, she said.
This particular rash of ransomware attacks began last spring at the University of Calgary. On May 28, hackers invaded the school’s computer system, cutting off access to the wireless network and encrypting critical files. A week after the attack, the university announced that it had paid the $20,000 ransom that hackers had demanded in order for the university to regain access to the data.
“The university chose to pay ransom and obtain the decryption keys to protect key research and information that may have been lost as a result of the encryption of laptops, desktops and servers,” said Linda Dalgetty, vice president, finance and services, at U of C. “We did not want to risk the loss of a research scholar’s life work as a result of the attack.”
Ms. Dalgetty said that, since the attack, the university has “augmented our tool set, logging, and surveillance of our networks.” Though paying the ransom could be seen as making U of C vulnerable to more attacks in the future, Ms. Dalgetty said the benefit of retrieving the information outweighed the risk, “especially given the increased security measures taken.”
While she can’t comment on U of C’s decision specifically to pay a ransom, Brock’s Dr. Herath said, “the idea to pay extortion money is always kind of a questionable tactic.” A lot depends on the “criticality of the data,” she said, and how much time the organization can afford to take to recover the data.
U of C is not alone in its troubling experience with hackers. The University of Alberta announced in early January that, back in November, it had discovered malware on 304 university computers in 20 classrooms and labs. Gordie Mah, U of A’s chief information security officer, said in a report on the university website that the creator of the malware “designed it specifically to harvest passwords,” but added that there was no indication that any compromised passwords were used.
On November 29, administrators at Carleton University sent out a notice through its mobile app alerting users that the school’s network had been attacked by ransomware. The hackers apparently demanded payment in bitcoin, a form of virtual currency that can be difficult to track (according to media reports, Los Angeles Valley College in the U.S. paid a $28,000 U.S. ransom in bitcoin to hackers in January following a similar cyberattack). At the time, Carleton representatives told the Ottawa Citizen that the university keeps backups of its email and other systems. In a press release, Carleton’s administration also stated that it believed no personal information had been accessed by the hackers.
The hack initially disrupted the campus Wi-Fi network, and those with Microsoft Windows-based systems were advised to stop using their devices. Printing services across campus were also affected. On December 13, two weeks after the hack occurred, university communications notified faculty and staff by email that “all critical IT systems are up and running.” The university said no ransom was paid.
David Shipley, director of strategic initiatives for information technology at the University of New Brunswick, said he was pleased to hear this because paying a ransom can have grave consequences. He references data from the United Nations Office of Drugs and Organized Crime, which indicates that up to 80 percent of cybercrime can be attributed to criminal groups that partake in other illegal activities like weapons trading or drug trafficking. By paying a ransom, said Mr. Shipley, an institution could unintentionally support criminal activity beyond the hacking. He called it “a placebo for actually doing the right thing when it comes to investing in basic cyber-resilience,” like regular backups and disaster recovery plans.
Both Dr. Herath and Mr. Shipley said universities can prevent future malware attacks through a combination of clear institutional policies on cybersecurity, buy-in by all levels of university governance and better training for users. For Dr. Herath, this last measure is most important – “think before you click,” she said.
Mr. Shipley noted that most ransomware attacks begin as “phishing” scams – messages hackers send through a network, usually in an email, that, if clicked, can install malware onto the device. He noted that if the fake message is deceptive enough, about 40 percent of people will fall victim and about half of those people will click or respond within the first hour of the attempt.
“It’s a hell of a lot easier to hack humans” than it is to hack computer systems, he said. This results from a lack of knowledge about cybersecurity across most institutions, not just universities. “There are lots of assumptions about the ‘auto-magic’ cybersecurity that people believe is supposedly being provided to them,” he said.
The most important thing for university administrators to know about cyberattacks is that they aren’t going to stop, both Dr. Herath and Mr. Shipley warned. A 2016 report out of the U.K., for example, found that six in 10 universities there had suffered a ransomware infection, with two-thirds of those being hit multiple times. “What you’re seeing in the headlines is a fraction of what’s being fought behind the scenes,” Mr. Shipley said.
To ward off hackers, Dr. Herath said collaboration between universities is crucial since governments and police services are often ill equipped to handle the volume of such attacks. She likens malware attacks to “digital climate change” – individually, no one can stop what’s happening, but collectively there’s a chance of defending against it.
How university students, faculty and administrators can help prevent cyber-attacks:
- Don’t click on unknown links or files!
- Don’t open unexpected email attachments.
- Don’t click on any links asking you to verify your credentials.
- Ensure you have anti-virus software installed.
- Keep your operating system and browsers up-to-date.
- Keep your application software up-to-date.
- Back up your data regularly.