A single student recently became the conduit for a ransomware attack at a biomolecular institute. According to ZDNet, the attack occurred when a student at the unnamed European organization attempted to find a free version of a data visualization software solution. 

When that didn’t work, they opted to download a cracked version of the tool. Windows Defender, deployed on the machine, blocked the download, but the persistent student fought back by disabling the anti-virus along with the firewall.

The executable didn’t launch a cracked version of the solution. Instead, it downloaded a trojan that harvested the student’s credentials for the institute’s network. Those controlling the trojan then waited 13 days to set up an RDP (Remote Desktop Protocol) connection to the institute’s network using the student’s credentials. 

Ten days later, the same attackers deployed Ryuk ransomware. The ransomware ultimately cost the organization a week of research in the life sciences and around COVID-19, as the institute’s backups weren’t up to date.

Higher Education Organizations Under Attack

The above incident is just one in a growing wave of ransomware attacks targeting higher education. Analysis of open-source data surrounding attacks in this sector indicate that attacks against universities increased by 100% between 2019 and 2020. These attacks leveraged different tactics, techniques, and procedures (TTPs) – including the increasingly popular double extortion tactic – with the average attack costing victims $447,000 in 2020.

As well, a new global research report conducted by Cybereason, titled Ransomware: The True Cost to Business, reveals that paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organization again, and in the end only exacerbates the problem by encouraging more attacks. 

The findings highlight some of the security challenges confronting higher education organizations and research institutes. Chief among them is the fact that cybersecurity measures in higher education are oftentimes lacking. One reason why is that dependence on public funding makes it difficult for higher education organizations to maintain a consistent budget for cybersecurity investment, as noted by Security Boulevard. 

Another reason is that higher educational organizations need to make their networks accessible to a variety of users who might not have any formal security awareness training. With that consideration, it’s not surprising only three-in-ten respondents to that survey covered by Security Boulevard said they used a VPN or antivirus software at the higher education organization where they worked.

XDR: A Higher Level of Ransomware Defense

Getting out in front of the ransomware threat by adopting a prevention-first strategy for early detection can stop disruptive ransomware attacks before damage is done to the organization. Admittedly, higher education needs a solution that’s more effective than traditional anti-virus to defeat the growing ransomware threat.

Traditional AV hinges on the idea that someone else has seen and reported the threat before. This doesn’t help organizations facing never-before-seen, polymorphic ransomware or infection vectors that leverage built-in IT administration or operating system functionality to execute commands.

Organizations in higher education need the visibility and response capabilities that XDR solutions (Extended Detection and Response) can offer. As explained by Dark Reading, XDR retains the continuous monitoring, threat detection and automated response principles that form the basis for EDR solutions (Endpoint Detection and Response).

Where XDR differs is in its ability to meaningfully correlate data beyond the endpoint to not only provide detection, but response across email, cloud infrastructures, workspace security, and the modern IT network. 

Today’s ransomware operators aren’t simply deploying malware. They are stealing data, impersonating as employee accounts, and are gaining multiple footholds to maintain persistence and continued access after compromise. Instead of alerting on individual, known-bad events, XDR provides a broader view into the malicious operation. This accelerates an analysts’ ability to “connect-the-dots” and take comprehensive remediation steps backed by tested best practices.

Organizations don’t need to implement XDR on their own. Cybereason has specifically designed its XDR solution so that organizations in higher education and other sectors can understand an attack without using complicated search queries or detection syntax. And, custom detection use-cases can be built in cooperation with their Managed Detection and Response (MDR) services.

Ultimately, Cybereason correlates detections based on both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs) across an organization’s infrastructure to allow SOC analysts the ability to visualize the entire Malop™(malicious operation). This makes it easy to understand the full attack story—even when other security capabilities are lacking. The result is better detection of threats, more efficient security operations, and ultimately a faster time to respond to any attack.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. The full report referenced above can be found here: Ransomware: The True Cost to Business. You can also learn more about Cybereason XDR here or schedule a demo to learn how your organization can benefit from an operation-centric approach to security.

About the Author

Eric Sun

Eric Sun is a Product Director at Cybereason, focused on helping security teams measure and improve their resilience against modern threats. Eric works closely with the Nocturnus research team and global SOCs to understand emerging attack campaigns and evolving best practices. He brings a layer of behavior analytics and risk management from his many years in Asia as a professional poker player.

All Posts by Eric Sun