The Ransomware Rise and You

Graduate students studying in Katherine Johnson Hall on the Science and Technology Campus. photo by Evan Cantwell/Creative Services

It’s our favorite time of year here in Information Technology Services (ITS) – the leaves are changing color, the air is cool, pumpkin spice is in full swing, and (you guessed it) it’s Cybersecurity Awareness Month (CSAM)! Each October, ITS observes CSAM to ensure that all Mason faculty, staff, and students are equipped to stay safe and secure online.

Most recently, a ransomware attack hit a neighboring university less than 25 miles away from Mason. Of course, it isn’t uncommon for cybercriminals to attack higher education environments due to their rich student data, research information, and financials, but these incidents are increasing in frequency and impact since the shift to remote learning with COVID-19.

This CSAM, ITS Communications and Marketing sat down with Curtis McNay, IT Security Director, to discuss the specifics of ransomware and how the Mason community can best protect itself.

Question: What exactly is ransomware, and where does it come from?

Answer: A ransomware attack is a successful attack through any number of methods where criminals get access to important data and make it inaccessible by encrypting it. They hold the data for ransom, typically asking for payment via cryptocurrency like bitcoin. These attacks can come in like any other cyber-attack, such as a phishing email or a malicious file download, and start by compromising a workstation or laptop.

Question: How do criminals perform a ransomware attack?

Answer: From an enterprise perspective, the typical goal for the attacker is to get a foothold in the environment frequently by using a phishing email with attached malware or a link to a malicious site hosting malware. Once they’re in, the attackers try and escalate privileges and move laterally in the space from machine to machine until they eventually gain access to their target – high-value data. It is common for an attacker to export the data before they encrypt it and threaten to expose or sell the data as part of the extortion. As a result, the enterprise has to worry about both the data being inaccessible and being exposed.

Question: How is the IT Security Office (ITSO) actively working to prevent ransomware attacks?

Answer: Endpoint Detection and Recovery (EDR) is the next-generation technical replacement for traditional antivirus software. All Mason-managed systems have either Microsoft Defender ATP or CrowdStrike, depending on the need. EDR creates a trust positive environment with lots of rich information that helps ITSO determine what kind of attack it is and how the attack originated and provides an analysis of the malware. Of course, EDR can stop the attack or allow us to take the infected device off the network. In addition, attackers may utilize a “living off the land” strategy of using tools already installed on a computer or server, like PsExec – a Microsoft utility commonly used by system admins that a traditional antivirus tool would not stop. For example, we may see that a server is running PsExec or other common utilities suspiciously, but EDR software can evaluate the use of PsExec for a suspicious use and notify the ITSO to take a closer look or potentially block its use. Unfortunately, this kind of stuff happens all the time, and while no solution provides 100% protection, we use these best-in-class tools to help keep Mason safe and secure.

Question: If an attack does occur, what happens to our data?

Answer: Our business operations maintain disaster recovery plans based on different scenarios. These plans include a recovery object describing when the business needs to have an asset up and running again. The recovery objective may define a restore requirement within a business day but also the restoration of the data from a certain time. An important consideration in defending against a ransomware attack is to ensure that backups have integrity, are secure, and meet the recovery objective. If your data is stored either on the MESA M: drive, Microsoft O365 OneDrive, Teams, or O365 email, your cloud-based files will always be backed up. If you only store files locally on your computer (not to mention critical files to you or your department), you should establish another backup strategy.

Question: How can individuals who don’t have managed systems protect themselves?

Answer: Protecting against ransomware is twofold, but a lot of it comes down to having good cybersecurity hygiene and keeping things simple. Keep your systems patched. Make sure you’re using industry-standard endpoint protection. Don’t install any more applications than you need because every extra little widget and game may expose your computer to compromise or be malware itself. Learn and be careful about email phish and going to risky websites. Be vigilant when your system is prompting you to download something or install something. Most importantly, backup often and ensure that your backup is offline and not attached to your computer between backups! Without detached backups, you run the risk of losing all of your data when you become the target of an attack.

Remember to do your part and #BeCyberSmart! For more information on this year’s ITS CSAM events, see the latest ITS bulletin.