Universities Plagued By Ransomware Attacks

Yet only one university contacted the police about their attack, as criminals demand as much as £2,200

The scale of the ransomware threat in the UK has been highlighted once again after security firm SentinelOne found that British universities are being actively attacked.

The findings come just a week after Malwarebytes found that more than half of UK businesses are victims of this type of malware.

University Attacks

ransomwareThe BBC reported that British universities (and NHS trusts) have been hit hard by ransomware in the past 12 months.

It cited research from cybersecurity firm SentinelOne, which had carried out freedom of information (FoI) requests by contacting 71 British universities to see if they had suffered a ransomware attack.

SentinelOne told the BBC that 58 universities had replied to the FoI request, and 23 of those admitted they had been attacked in the last year.

It found that none of the universities claimed to have paid the ransom, but the largest ransom demanded was five bitcoins (about £2,200). But it seems that academia’s confidence in the police to tackle the matter is worryingly low, as only one university had contacted the police.

Unbelievably two universities said they did not use anti-virus software and Bournemouth University, which boasts a cybersecurity centre, had been hit a staggering 21 times in the last 12 months.

“It is not uncommon for universities to be the target of cybersecurity attacks; there are security processes in place at Bournemouth University to deal with these types of incident,” Bournemouth university told the BBC.

It said the ransomware attacks had not impacted its activity.

Expert Reaction

The scale of the ransomware attacks on British universities drew quick reaction from leading security experts.

“Being hit by ransomware, or any other form of malware is not uncommon in universities,” said Javvad Malik, security advocate at AlienVault. “In the case of Bournemouth university, it seems like none of the critical systems were impacted and they were able to relatively easily recover.”

“Whilst security purists may say that being hit 21 times in a year by ransomware indicates poor security – it more likely looks like good business acumen,” he said. “Rather than invest in preventative measures like antivirus which may or may not prevent ransomware from getting in, and to avoid the cost of paying ransomware, the university appears to have segregated its systems and put in place backup and restore processes that wipe and restore systems when they’re hit by ransomware.”

But the seemingly slack response by Universities in reporting the attacks to the police did not go unnoticed by industry experts.

“Why is it that only one university out of the 23 attacked contacted the police?” asked Jonathan Sander, VP of product strategy at Lieberman Software. “”It’s hard to say why folks are clearly victims of a crime don’t notify law enforcement, but there are a couple common reasons. People just don’t imagine that law enforcement can help.”

“They think, often correctly, that the criminals are in another country,” he said. “So they conclude, often incorrectly, law enforcement will either be powerless or be forced to bring in higher level authorities that may actually cause more disturbance than good.”

“Another issue is that they fail to see what’s happening as a crime,” Sander warned. “Like with many other problems, if it happens in the computer it’s seen as a tech issue. Even when it’s certainly a crime, people can’t get past the attitude that anything attached to a keyboard is up to IT to sort out.”

Sander admitted that law enforcement’s ability to help when attacked by ransomware can vary, depending on the state of police departments in the local area. But he said that having a public record of the incident is often helpful in the long run as it provided an overall snapshot of the cybersecurity arena.

Meanwhile Mark James, a security specialist at ESET, also questioned why only one university out of the 23 attacked contacted the police?

“I think some companies still see it as a waste of time however, it is a criminal activity and should be reported to the police like any other crime,” said James. “I appreciate with so many attacks it may seem worthless but it’s important the authorities have all the facts for budget and resource purposes and if they don’t know or don’t realise how big a problem it actually is they cannot forecast resources accordingly.”

“While it is great that none of the universities paid the ransom, is it a concern that two of them did not have anti-virus protection?,” he said. “This shocks me beyond belief, whilst it’s not a 100 percent barrier it’s the first line of defence, it reduces the IT technicians’ time and resources dealing with malware attacks and takes some of the pressure away from the users.

“Of course there’s no substitute for common sense and being careful but it’s like not wearing a seatbelt because you’re only going to be driving at 20mph, it’s not YOU that’s the problem!,” said James.

Are you a security pro? Try our quiz!