Modern ransomware attacks are as much about stealing data and threatening to leak it as they are about encrypting data. Which means that when a school or hospital is attacked, it’s often students’ and patients’ data that’s leaked if the ransom demand isn’t met.

We have to wonder how greedy any person would need to be to show such a blatant disregard for how painful sharing that kind of information can be.

In our recent report on the state of ransomware in education we saw an 84% increase in known attacks on the education sector.

Known ransomware attacks against education, June 2022-May 2023
Known ransomware attacks against education, June 2022-May 2023

And, while ransomware attacks against education are a global phenomenon, the USA and the UK saw far higher rates of attacks than other countries.

Although the attacks were carried out by a large number of different ransomware gangs, one in particular stood out: Vice Society. The Vice Society ransomware gang specializes in attacking education, with almost half of its known activity (43%) directed against the sector—almost ten times the average for ransomware groups.

Vice Society has also been known to take their demands directly to college students (we talked about this tactic in the case of the University of Manchester.)

The documents stolen from schools and dumped online by ransomware gangs can contain very private information that goes beyond what we normally see in leaked files. But apparently it’s getting harder to convince victims to pay the ransom, so the cybercriminals are trying new tactics.

What they seem to forget, or not care about, is that they are not just extorting money from institutions, but ruining young lives in the process.

An Associated Press article talked to the families of six students who had their sexual assault case files exposed by a ransomware gang. The leaking of private records like that on both the Dark Web and the open Internet could have a lasting impact on those young people long after their school has recovered from the attack.

The ransomware groups are to blame, of course, but the education sector can improve a few things to lessen the impact of a ransomware attack.

It’s prudent to assume that at some point your organisation will fall victim to a ransomware attack. That being the case, it might be better to resort to paper records for highly sensitive information, or to store it securely encrypted on a non-networked system.

It also seems to be a problem to inform the students and their family about what has happened and what might have been stolen. The families contacted by AP said they first learned about the leaked information from the journalist instead of from the school.

Another matter to consider is the fact that identity thieves sometimes target children because the crime can go undetected for years, often until the child applies for their first loan or credit card. Even more reason for schools to inform the families of students about stolen data.

As a Vice Society representative wrote in an email to students of a victimized school:

“Additionally all of your SSN and Medical records will be put for sale, for every hacker to gain access and use your data in whatever illegal activity they want. To us, this is a normal business day. For you, it’s a sad day where everyone will see your personal and private info.”

Which goes to show that appealing to their decency is likely to fall on deaf ears, so the best defense is protection.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.