Ransomware

 
News reports of various entities and organizations falling victim to ransomware are becoming increasingly frequent. These days, it's a highly effective attack that encrypts a victim's information and demands a ransom for access, generating billions of euros in profits for criminals. 

Educational institutions can be an attractive target for those seeking an environment where the number of users is a decisive factor in the criticality and impact of an attack.  

In a university environment, it's common to find people with varying levels of computer knowledge using the equipment provided by the institution. These devices are generally used by a large number of people, some connected to the institution itself, others simply visiting, such as guest professors or even national or international students participating in educational programs. Most of these users also use their own devices on the institution's network for a variety of purposes: accessing internal content, browsing the internet for university purposes, and accessing personal platforms such as email, home banking, social media, games, and more. 

There have been numerous cases of international universities being targeted by ransomware attacks by organized groups that see these institutions as an opportunity to use this attack vector to block access to essential information, such as educational resource platforms, teaching materials, final-year theses, papers written by researchers, or any other information of relevance to the institution. Faced with the risk of losing access to data critical to their operations, universities are subject to exorbitant ransom demands to regain access to the information. 

It is extremely important to have an incident response plan that covers the incident scenario. ransomware. Internally, there must be a set of controls, such as established security policies, that ensure the confidentiality, integrity, and availability of information, thus helping to prevent or minimize the impact in the event of a cyber attack.  

Suggestions that may help in the event of a ransomware attack: 

• Backup information groups must be defined according to the criticality and availability required for the information, as not all data requires a daily copy. 
• There must be a defined backup policy with the respective documented procedures. 

• Backup time windows must be defined, and if applicable, windows for total and incremental backups can be defined. 
• Regular backups should be performed based on the defined backup information groups. 
• Periodic restoration tests must be planned. 
• Backup retention periods must be defined. 
• Backup support media must be stored in a safe location, preferably away from the organization/institution's facilities. 

In order to prevent or mitigate a potential cyber attack, some of the following measures can be taken: 

• Separate critical equipment from commonly used equipment, through distinct networks that are not accessible from the outside (internet). 
• Ensure that only authorized personnel have access to restricted networks or critical equipment. 
• Ensure network monitoring is in place. 

• Use a second authentication factor whenever possible. 
• Always keep your systems up to date, especially with regard to security updates. 
• Turn off all services that are not strictly necessary on critical machines. 
• Avoid any kind of exceptions. 

Pedro Silva and Fábio Mestre are experts in the service RCTS CERT, which you can visit for more information.