Increasing ransomware attacks at universities

According to freedom of information requests that has been carried out by two cybersecurity firms, in the last year university and NHS trusts in England have been hit hard by Ransomware.

They have said that there has been 28 NHS Trusts who have been affected. In the last 12 months Bournemouth University, which boasts a cybersecurity centre has been hit 21 times.

What is Ransomware?

Ransomware is a category of malware which restricts users from accessing their devices or data. ransomware attackers will force their victims to pay the ransom through the specifically noted payment methods and only after that they will grant the victims access to their computers or to their data.

By using ransomlockers, the attacker will then pretend to be the local law enforcement, who demand a “fine” to let the victims to avoid arrest and to unlock their computers.

Cryptolocker is a ransomware variant where malware often encrypts the users’ files and often deletes the original copy. The attacker will request a ransom for the files to be unencrypted. Not only are files which are on the local computer damaged but also often the files on any shared or attached network drives to which the computer has write access.

Ransomware can travel through email or could be hidden in the downloadable files and programmes which are from corrupted sites and applications.

ransomware image

A cybersecurity firm has contacted 71 UK universities. Out of the 58 response, 23 had said that they had been attacked in the last year. None of them have said if they have paid the ransom although the largest sum that has been demanded has been £2,200.

So far only one university has contacted the police.

Although according to the report, two of the institutions have said that they “they did not use anti-virus software.”

Bournemouth University have confirmed the attacks.

“It is not uncommon for universities to be the target of cybersecurity attacks; there are security processes in place at Bournemouth University to deal with these types of incident.” Said Bournemouth University.

They have also confirmed that there has been “no impact” on its activity as a result of these attacks.

In a different study, a security firm, NCC Group have asked every NHS Trust in England whether they have been a victim of Ransomware.

Out of the 60 responses the firm had received, 28 had said they have experienced an attack, luckily for one they have yet to experience an attack whereas 31 have declined to comment on the grounds of patient confidentiality.

The technical director at NCC Group, Ollie Whitehouse has said “Paying the ransom – which isn’t something we would advise – can cost significant sums of money, yet losing patient data would be a nightmare scenario for an NHS Trust.”

Experienced Ransomware Attack
Declined to comment
No Ransomware attack experienced

Ransomware on the rise

In America, ransomware attacks have increased in a frequency by 300% year on year in 2016, this is with about 4,000 incidents a day have now been reported, according to the US Government.

If a computer is infected, you should have it removed from any network and switch it off immediately.

It has also been advised that “prevention is the best defence” and suggest that you use spam filters, firewalls, anti-virus programmes and employee training for businesses as well as regular data backups.

a dos and donts image

Five Do’s and Don’ts

  • Don’t pay the ransom – Although paying the ransom sounds like a realistic response but it is only encouraging and funding the attackers.
  • Don’t click on attachments in email –  Those who are running ransomware scams have different ways to infect your data or computer. One of the most popular ways is using spam, where they expect you to click on the attachment.
  • Do keep software up to date – Make sure that you have updated the software on your PC as patching removes the vulnerability of the software on the PC.
  • Do use security software – Good security software isn’t just Anti-virus. ServerLink suggest Symantec as good line of defence.
  • Do backup- Everyone needs to back up. The fastest way to regain access to your critical files is to have a backup of your data. Backups of the data should take place not only for files housed on the server but also for files that reside locally on a workstation.

Symantec Endpoint Protection

This is an antivirus and personal firewall software which has been developed by ServerLink’s partners, Symantec. The software is for centrally managed business environment by providing security for both servers and work stations.

The most recent version of Symantec Endpoint Protection 12.1.6 provides five layers of protection in one high performance agent which is all managed through a single console.

Here are the five layers of protection:

  1. Network– The network threat protection technology analyses the incoming data and blocks threats while they travel through the network before it hits the endpoints. Rules-based firewalls and the browser protection are also included to protect you against web-based attacks.
  2. File – You will have a signature-based antivirus and the advance file heuristics look for and eliminates the malware on a system to protect against virus, spyware, adware and many more.
  3. Reputation – The Unique Insight correlates tens of billions of links between the users, files and websites to detect the rapidly mutating threats. Analysing the key files attributes, Insights can then accurately identify whether the file is good or bad and then assigns a reputation score, effectively protecting against the targeted attacks while reducing the scan overhead by 70%
  4. Behaviour – SONAR leverages artificial intelligence to provide zero-day protection. This effectively stops new and unknown threats by monitoring nearly 1,400 files behaviours while they execute in real-time to determine the file risks.
  5. Repair – The Power Eraser will aggressively scan the infected endpoints to locate the advanced stubborn threats and remove the determined malware. Remote support will enable the administrator to trigger the Power Eraser scan and fix the infection from the management console.

In addition to the core protection technologies on the Symantec Endpoint Protection 12.1.6 it also offers granular policy controls.

symantec endpoint protection policy control features

Here are some examples of the granular policy controls:

  1. Application Control – This allows you to control files and registry access, as well as how the processes are allowed to run or blocking the blacklisted applications (that are known to be bad) from running.
  2. External Media Control – It allows you to restrict access to selected hardware and can control what types of devices that can upload or download information. Any external media controls can be combined with the application control to offer more flexible control policies.
  3. Host Integrity Checking & Policy Enforcement – This can ensure that endpoints are protected and compliant by enforcing the policies, detecting any unauthorised changes, and conducting damage assessments with the ability to isolate the managed system that does not meet your businesses requirements.

Finally, if as a business you are using virtual environment you might want to consider a piece of software that can help protect you from Ransomware. Symantec Endpoint Protection will protect your high-density virtual environment while maintaining performance levels superior to agentless solutions and can provide end to end security visibility.

Here are some examples of optimisation for virtual environments:

  1. VMware vSHIELD Integration – This allows higher virtual machine (VM) density and reduces the I/0 and CPU usage.
  2. Virtual Image Expectation – It whitelists files from a standard virtual machine image to optimise scanning.
  3. Resource Levelling – It randomises the scan and update schedules to prevent resources utilisation spikes.
  4. Shared Insight Cache – It scans the files once, then it shares the results information between clients and then de-duplicates file scanning to reduce bandwidth and latency.
  5. Virtual Client Tagging – It automatically detects and reports whether the client is running in a virtual environment, which makes it easier to set different policies for virtual machines.
  6. Offline Image Scanning – It will find the threats in offline VM images.
  7. Scan Throttling for Virtualisation – This detects the disk load and reduces the scan speed to prevent utilisation spikes.

To conclude, Ransomware is a growing threat that everyone needs to be aware of and you must remember do not pay the ransom and do backup your data. It’s not only your everyday users who are being affected by Ransomware but also Universities and NHS Trusts are being attacked as well.

For more information about the Symantec Endpoint Protection software, contact one of the Account Managers at ServerLink today.