Ransomware attackers have shown their willingness to target the higher levels of U.S. education. North Carolina A&T State University was the target of a ransomware attack in March 2022, becoming the seventh collegiate ransomware victim this year.
Hacker group Alphv posted a statement regarding the attack on their website on April 6, about one month after the attack occurred during the school’s spring break. According to the post, Aphlv’s attack impacted the personal information of staff and students, financial and contract data, and targeted email and SQL databases.
An internal review conducted by the university and multiple law enforcement agencies have revealed that no current students or faculty information were affected.
The attack was initiated using a yet-to-be-determined form of malware to infiltrate the school’s wireless network. It took advantage of the time period when security staffing would be at its lowest point. This allowed the attack to quickly gain traction unnoticed, stealing and locking the aforementioned forms of information. The attackers were able to use known vulnerabilities in many of the school’s IT systems, including Blackboard instruction, Jabber, VPN, and single sign-on websites to push the attack code.
As of this week, many of these same systems remain offline.
The amount of advanced planning conducted by Alphv illustrates the coordinated, well-organized nature of these organizations. Alphv took advantage of the most vulnerable assets in the school’s stack and knew exactly when monitoring and response teams would be in its least responsive position. The treasure-trove of data stored within the higher education system makes these attacks highly profitable, and could quickly become the norm for institutions of higher learning.
The long-term reach of a ransomware attack can last far beyond data recovery and the implementation of stricter security measures. The PR implications cannot be ignored, nor can the need for communications and visibility into the event.
As is the case with many organizations, North Carolina A&T opted to limit notifications about the attacks, drawing sharp criticism from students, many of whom were hampered in completing assignments. It’s appropriate for any business or educational facility to create a balance between too much disclosure about an incident versus no disclosure. It’s important to consult law enforcement, legal, and security experts ahead of time to ensure that you have a playbook at your immediate disposal.
The best way to learn from an event like this is to use incidents such as this one to create and fine-tune a ransomware prevention strategy. In the case of North Carolina A&T, the attack could have been prevented or minimized by expanding their security profile to include the full stack of devices, right down to the most unimpressive digital blackboard on campus. Doing so would have cut off multiple avenues for an attack and may have discouraged Alphv from going forward.