Howard University, one of the largest historically Black colleges in the country, said it would cancel classes for a second day this week as it continues to investigate a ransomware attack that shut down its network before the long holiday weekend. The attack is a reminder that education institutions, which have gone increasingly digital during the pandemic, still have cybersecurity issues to contend with even as they navigate the beginning of the school year and in-person reopenings.
The university closed its D.C. campus Tuesday to everyone but essential employees and announced that classes would be canceled for online and hybrid undergraduate students on Wednesday. In-person undergraduate, graduate, professional and clinical courses were scheduled to proceed.
“We are currently working with leading external forensic experts and law enforcement to fully investigate the incident and the impact,” administrators said in a statement. “To date, there has been no evidence of personal information being accessed or exfiltrated; however, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed.”
The ransomware attack was detected on Friday and triggered the university’s cyber response plan. Officials are asking students to “please consider that remediation, after an incident of this kind, is a long haul—not an overnight solution.”
Experts have cautioned the education community to prepare for cyber threats, both at universities and K-12 schools, as the semester ramps up. Earlier this year, the University of California and Stanford University’s School of Medicine were among those swept up in a nationwide ransomware attack that targeted a third-party vendor contracted by the schools.
“Experiencing a ransomware outbreak that has spread across your network is probably the worst-case scenario for an education organization today,” Doug Levin, director of the K12 Security Information Exchange, says. “It’s the type of incident that keeps most IT up at night most of all because its impacts are so severe on the organization’s operations.”
The timing of the attack—coinciding with a busy back-to-school season—may not be coincidence. Criminals often increase ransomware attacks in the third quarter to maximize the chances of a payout, says another expert.
“When students are back in classes or about to go back, schools are under pressure to resolve incidents quickly—and that may mean they’re more likely to pay,” Brett Callow, a threat analyst at security firm Emsisoft, tells The Daily Beast.
Getting Back to Normal
Levin says after an organization shuts down its network due to a ransomware attack, investigators must begin the process of identifying the type of malware that’s been activated and where the system’s vulnerabilities lie. In cases where file backups are good quality, it can still take days to restore the system.
In a cyberattack like the one Howard University is facing, an IT team can spend weeks getting things back to normal. Ransomware victims that are caught without a plan can experience devastating consequences if they don’t have a response plan, Levin says.
A pair of researchers recently estimated that 3,880 schools and universities have experienced ransomware attacks since 2018, costing billions in downtime and ransom payments.
“It’s certainly recommended that all education organizations develop response plans like they would have for a physical incident, like a school shooter or a weather event,” Levin says. “Everyone knows their roles and responsibilities, and you’re working through that playbook.”
Levin adds that while some ransomware gangs may have decided against targeting places like hospitals or schools during the pandemic, criminals will go after anyone they think might be vulnerable. If they have success attacking a school or college, he adds, they are likely to do it again.
“Many of the folks who don’t follow this so closely seem to believe that school districts and universities are not targets for cyberattacks, and that’s simply not that case anymore,” he says. “It’s really beholden not just on IT teams but on school districts and university leaders to look at these risks in a holistic way and put into place plans to mitigate these risks.”