Cybercriminals are humans, and as such, their whims, preferences and practices are subject to change. In 2020 and 2021, across sectors and regions, they appeared to prefer ransomware over other kinds of malware attacks, and government was their top malware target, according to new report from SonicWall.
But in 2022, cybercriminals altered their patterns. In this new threat landscape across industries and regions, ransomware attacks decreased (by 21 percent), though malware attacks over all increased (by 2 percent, after three years of decline), according to the report. Also, educational institutions were their top malware target.
Malware—a portmanteau of “malicious software”—is a general term that refers to software used to gain access to a system for the purposes of compromising, damaging or destroying a device, network or data. Malware may include viruses (software designed to spread from one computer to another), spyware (software designed to gather a user’s data without their knowledge), keyloggers (software that records a computer’s keystrokes) and many other nefarious applications.
Ransomware is another type of malware. In a ransomware attack, a criminal locks down and encrypts a user’s files. The attacker then demands money for the files to be unlocked.
Digging deeper into the data, the idea that global ransomware attacks were down may be misleading when considered in isolation, according to the researchers, as 2021 had been a high outlier year for ransomware attacks. When that outlier is omitted, ransomware attacks have been rising since 2018.
In any case, a strong majority of those who spend their days guarding computer networks perceive that malware attacks, including ransomware, remain persistent threats, according to SonicWall’s 2022 threat mind-set survey. In the survey, both were deemed top threats by a majority of respondents.
In higher education, malware attacks rose, though not as dramatically as in the K-12 sector. Ransomware attacks in higher education fell in 2022, which is especially noteworthy given the staggering increase of such attacks targeting K-12.
Cybercriminals often target known vulnerabilities in computer networks. But software updates and patches only work when installed. Colleges face nontrivial hurdles in updating and patching countless devices that run on their networks that are otherwise designed to share information openly. Remote students, faculty, staff and visitors spread across campuses and continents add to the challenge.
“Colleges and universities are much more in tune with the risks of cyberthreats and what needs to be done” than in the past, Mike Cullen, principal in the risk advisory practice and lead of the higher education cybersecurity and IT risk team at Baker Tilly, said. “Now, that doesn’t mean they always have all the money and all the people and talent that they need” to defend themselves.
Malware Rises in Higher Ed
Malware attacks targeting education dramatically increased (by 157 percent) in 2022 over the previous year, according to the report. That made education the hardest-hit sector by volume among those in the study. Attacks against the health-care and government sectors fell (by 15 percent and 58 percent respectively), while those in retail and finance rose (by 50 percent and 86 percent respectively), according to the study.
“Malware is more easily distributable or encounterable on the internet than ransomware,” said Richard Forno, assistant director of the University of Maryland Baltimore County Center for Cybersecurity. “If you’re a college student in a dorm room or a staff or faculty member browsing a website or on social media, you may eventually download some malicious software.”
But education as a sector includes both K-12 and higher education. Once the 2022 data are parsed, higher ed fared better, with a more modest (26 percent) increase compared with K-12 (323 percent increase). That K-12 was hit harder may be attributed to local budget limitations, according to Forno.
“There’s only so much of the pie that can go around,” Forno said. “Local governments are also responsible for filling in the potholes, ensuring clean water and [funding] fire and police departments.”
Also, colleges today have instituted better protocols for backing up data, which neutralizes criminals’ motivation to hold data ransom, according to Cullen. The downside is that cybercriminals may see other types of malware as desirable alternatives to ransomware, Cullen said. That is, if they lack confidence that a college will pay ransom, they can find other ways to steal sensitive data such as credit cards and Social Security numbers, with the plan of selling them on the dark web.
“The criminals are focused on higher ed because other sectors have made improvements in their cyber postures faster,” Cullen said, adding that colleges’ decentralized environments present additional challenges. “Culturally, [colleges] differ from corporate structures with strong central command and control structures from the CEO on down.”
Ransomware Falls in Higher Ed
Ransomware attacks targeting higher ed decreased (by 29 percent) in 2022, compared with a staggering increase (by 827 percent) targeting K-12 institutions, according to the report.
But the statistics reflect only reported ransomware attacks, and the actual number may be higher, Cullen said, adding that colleges today may be better equipped to handle smaller ransomware attacks in a way that evades public scrutiny. Regrettably, when college officials minimize public attention, they may inadvertently help cybercriminals.
“The more a specific ransomware group gets publicized, then the more likely it is that the law enforcement, especially in the United States—the FBI and Homeland Security—are more active and vocal about what the group is trying to do,” Cullen said. “If the group can stay in the shadows, then it has a better chance of being able to swoop in, deploy ransomware, get paid, get out” and repeat.
When considered as an industry of its own, higher ed landed roughly in the middle of sectors in the study experiencing ransomware attacks. Government and retail experienced decreases, for example, while health care and finance experienced increases.
“Higher ed IT managers are really in a quandary of balancing security and privacy for everybody in college environments where there is so much sharing and collegiality,” Forno said. “But a lot of the problems, whether in higher ed or elsewhere, are because we’re not doing basic cybersecurity practices.”
Updates Only Work When Installed
Ransomware groups most often target unpatched vulnerabilities in computer code, according to a 2021 Business Wire report. Most unpatched vulnerabilities (54 percent) are easily accessible or exploitable by hackers.
“Think about your cellphone. The vendors are always pushing updated apps, updated bug fixes and updated software,” Cullen said. “Colleges and universities are dealing with that same sort of thing, but they have to deal with it for hundreds of different systems, devices and software constantly.”
Those working to defend networks might install a patch for a known vulnerability, should one exist. But most victims acknowledge that the breaches they endured might have been prevented with available updates or patches, including approximately one-third who knew about the vulnerabilities, according to a Ponemon Institute study.
IT professionals are least confident about maintaining “cyber hygiene” for remote users, according to a 2020 AimPoint Group report, which presents challenges for colleges’ dispersed communities that may include remote students and employees spread across campuses and continents. Even when they identify necessary patches, few are fast enough, as only a minority (approximately 20 percent) can patch within one day, according to this report.
“Even though there’s a lot of automation, it still takes the right people to make sure that systems get patched and updated at the frequency that that we need today,” Cullen said. “It’s like going to the doctor or dentist. Not everyone goes as frequently as they should. Cybersecurity is similar in that way.”