Ransomware

 
News from different entities and organisations that have been victims of Ransomware is becoming more and more frequent. Nowadays, it is a highly effective attack aimed at encrypting a victim's information, demanding a ransom to provide access to it, giving rise to billions of euros in profits for the criminals. 

Educational Institutions can be an attractive target for those looking for an environment where the number of users is a decisive factor for the criticality and impact of the attack.  

In a university environment it is common to find people with different levels of computer skills using the equipment provided by the institution. This equipment is generally used by a large number of people, some connected to the institution itself, others just visiting, such as visiting professors or even national or international students participating in teaching programmes. Most of these users also use their own equipment on the institution's network for the most diverse purposes: accessing internal content, surfing the Internet for university purposes, accessing personal platforms such as email, homebanking, social networks, games and others. 

There have been numerous cases of international universities being targeted with ransomware by organised groups that see these institutions as an opportunity to use this attack vector to block access to essential information, such as teaching resource platforms, teaching materials, end-of-course theses, papers written by researchers or any other information whose importance is relevant to the institution. Faced with the risk of losing access to important data for their operation, Universities are targets of exorbitant ransom demands to be given back their access to information. 

It is extremely important to have an incident response plan that considers the ransomware scenario. Internally there should be a set of controls, such as established security policies to ensure the confidentiality, integrity and availability of information, thus helping to prevent or minimise the impact in the event of a cyber attack.  

Suggestions that can assist in the event of a ransomware attack: 

• Groups of backup information should be defined according to the criticality and availability required for the information, as not all data requires a daily copy. 
• There should be a defined backup policy and documented procedures. 

• The time windows for backups must be defined and, if applicable, windows for full and incremental backups can be defined. 
• Regular backups shall be made on the basis of defined backup information groups. 
• Periodic restoration tests should be provided for. 
• Retention periods for backups should be defined. 
• The backup media should be stored in a secure location, preferably away from the premises of the organisation/institution. 

In order to prevent or mitigate a potential cyber attack, some of the following measures can be taken: 

• Separate critical equipment from equipment for common use, through separate networks that are not accessible from the outside (Internet). 
• Ensure that only authorised persons have access to restricted networks or critical equipment. 
• Ensure that there is monitoring of the network. 

• Use, whenever possible, a second authentication factor. 
• Always keep systems up to date, especially with regard to security updates. 
• Shut down all services that are not strictly necessary on critical machines. 
• Avoid any kind of exceptions. 

Pedro Silva and Fábio Mestre are specialists in the RCTS CERT service, which you can visit for more information.