Not everyone took time off for Labor Day weekend. While millions of Americans enjoyed an extended weekend in honor of the holiday, cybercriminals were busy targeting Howard University with a ransomware attack.
Howard University released a statement Tuesday morning explaining that suspicious network activity was detected on Friday, September 3. It was later determined that the university was the victim of a ransomware attack.
The statement explains, “We are currently working with leading external forensic experts and law enforcement to fully investigate the incident and the impact. To date, there has been no evidence of personal information being accessed or exfiltrated; however, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed.”
The school’s IT team proactively shut down the network—including all WiFi access. Classes were cancelled and the physical campus remained open, but only for essential employees.
We Were Warned
It is probably not a coincidence that the attack occurred over a holiday weekend. Ransomware attackers don't take holidays off. On the contrary, cybercriminals appear to be specifically targeting those times—most likely because it means IT teams are probably running with minimal staff and there is less chance of being detected.
The FBI and Cybersecurity Infrastructure Security Agency (CISA) preemptively issued a joint statement last week making businesses aware of the increased risk of attack over holiday breaks, and warning companies to be more vigilant in defending against ransomware attacks.
It isn’t surprising that higher education institutions are targets because they have wide attack surfaces that are oftentimes poorly secured. With the start of a new semester and millions of students returning to college campuses around the country in earnest for the first time since the COVID-19 outbreak began, the mindset of the threat actors is likely that colleges will quickly pay the ransom because they want to minimize damages caused by a prolonged lockdown.
However, paying a ransom doesn’t guarantee a fast return to normalcy. In fact, a recent Cybereason study of more than 1,000 businesses showed that 80 percent of businesses that paid a ransom were hit by a second ransomware attack.
I recommend to the administration of Howard University if they can at all avoid it, they should not pay. In some cases, you can't legally pay because the ransom is funding terrorism and organized crime. But it's not a good idea to ever pay unless the cost of doing so affects human life, public safety or is existential.
Paying doesn't make the problem go away since nearly half don't recover data correctly, and it will become public anyway. Paying only defers some cost possibly and delays the time when it becomes public knowledge.
If we have learned anything from the deluge of ransomware attacks in 2021, the public and private sector needs to invest now to ratchet up prevention and detection and improve resilience. We can meet fire with fire.
Sure, the threat actors will get in, but so what. We can make that mean nothing. We can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can—in short—make material breaches a thing of the past.
So, what if they get a toe hold on the ramparts. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defenses.
About the Author
Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.