5,366,886 Attacks Later, this new Ransomware Bug Has Colleges and Families Reeling

Max Sheridan —

Howard University in Washington, D.C., is still recovering after a ransomware attack ripped through its network last month, grinding online teaching to a halt. The potential number of victims? 11,000. If you missed it, no one would blame you. Hackers have launched attacks at 5,366,886 educational organizations in the past 30 days alone1 (61% of the entire ransomware pie.)
This is disturbing for a number of reasons and not all of them as obvious as you might think.
Student using laptop
Bad infrastructure Is Good Money for Hackers
It isn’t common knowledge outside the cybersecurity community just how woefully outmatched much of our critical infrastructure is against the latest breed of cybercriminals. The fact that Google has just put skin in the game with its newly launched Google Cybersecurity Action Team is either great news or a dire warning that we’ve reached the point of no return. But yes, our school networks and the legacy systems they run on are virtually open books to fraudsters, which has made them soft targets.
In 2020, ransomware attackers hit approximately 1,740 schools in the U.S. Estimates of the damage vary, but some experts believe costs due to downtime and recovery could be as high as $6.5 billion.2
While the sheer number of attacks seems to be leveling out, this isn’t necessarily good news for higher ed, which may be looking at a potentially scarier ransomware threat landscape moving into 2022. This is where criminals would be targeting fewer institutions for much higher payouts.
That’s just what we saw in April 2021, when cybercrooks targeted Broward County Public Schools in Florida, asking for an astronomical $40 million ransom. (Broward County didn’t pay up, and the hackers ended up making good on their threats to publish over 26,000 sensitive files.)
Student Ransomware Victims Are at Higher Risk
Cyber thugs aren’t targeting schools and colleges because it’s easier to break into their systems. When 21-year-old John Binns sailed past T-Mobile’s feeble defenses last month, it underscored the fact that in 2021, cybersecurity is still a hacker’s market. And their reasons for targeting colleges are much more nefarious.
Students usually have clean credit and aren’t likely to be on the lookout for identity theft. That makes their sensitive details (driver’s license, phone, and Social Security numbers) very valuable commodities on the dark web, where any fraudster who buys them can get away with a lot before they’re caught.
If this does happen, the damage can be long-lasting, far-reaching, and extremely difficult to undo.
And that was before PYSA.
Introducing PYSA Rent-a-Ransomware
In March 2021, the FBI’s Cyber Division finally flagged a particularly malevolent ransomware variant that seemed to be targeting school systems and higher ed.3
PYSA (Protect Your System, Amigo) wasn’t actually new. Cybersecurity experts first spotted it back in 2019. But it was worrying because it was considered open source ransomware as a service, or RaaS. (Yes, like software as a service, but for criminals.) That meant that any low IQ grifter with a bitcoin wallet could buy the bug on the dark web, customize it, and, after busting through flimsy network security, launch it to catastrophic effect.
If this is conjuring up images of a California wildfire, the analogy isn’t that far off. Like an arsonist who might not know what a fire is but can use a book of matches, code-dumb PYSA hackers are virtually unstoppable.
From Broward County to Howard University, the pseudo hackers follow the same MO. They “exfiltrate” the data they want, lock it up, and then threaten to release it on the dark web (or destroy it) if their ransoms aren’t paid.
The consequences for universities that don’t comply have been steep. Some, like Howard, have been forced to shut down (sometimes for days or weeks). Others have lost valuable research (University of California, San Francisco, June 2021) or seen tens of thousands of student records compromised (University of Syracuse, an early PYSA victim in 2019).
What You Can Do to Protect Your Family From PYSA Ransomware Attacks Right Now
As cybersecurity experts have been warning for years, our critical infrastructure needs a massive overhaul. But individuals can do their part, too. Here’s a quick five-point guide to protecting your family from PYSA and worse.

Keep your children’s devices updated, especially if they’re on loan from a school or university.
This is one digital hygiene best practice that unfortunately fell by the wayside over lockdown, just when we needed it the most. A single unsecure device can open up a backdoor to higher-level systems privileges for thieves who know what they’re doing. So, if they haven’t already, have your kids enable those automatic security updates now.
Make sure all students in the family are extremely careful with email and website links.
There are literally no limits to what a cybercriminal is willing to do to cash an easy paycheck. Grifters have gone so far as to impersonate university human resources personnel to con students out of sensitive details about their COVID-19 vaccination status. If you don’t have a family VPN plan with malware protection, now’s the time to look into one. At the very least, encourage your kids to install a free antivirus program like Avast on their devices.
Encourage college-aged kids to stay in touch with cybersecurity staff.
Did your kids notice something weird when they were online? Have them report it immediately. Hackers can deploy a PYSA attack via a simple phishing scam. All it takes is one weak link to bring an entire school system down.
Teach your kids about digital safety.
Ten years ago it was the birds and the bees. These days when your kids reach Instagram age, it’s time for the “digital safety” talk. If this is new terrain, check out our guide to digital safety for kids for some ideas.
Consider investing in ID theft protection for your child.
Syracuse University gave its breach victims a year of Experian IdentityWorks on the house. The idea here is that while university cybersecurity is out of our hands, we as parents can still make sure our families are covered. With a top-ranked identity monitoring service like Experian, you’ll know the minute a thief has gained access to your child’s sensitive details, so you can freeze their credit and alert the appropriate authorities before the damage is done.

Even for hardened cybersecurity experts, 2021 has been a pretty crazy year. A bug that targets schools with dark web blackmail hasn’t made it any easier.
But there is light at the end of this grim-looking tunnel now that Google has joined the fight against ransomware with its generous $10 billion infusion of tactical aid for organizations with leaky hardware and subpar cybersecurity.
If schools and colleges get better at forecasting attacks, and families do their part to limit the spread of malware, we can, and will, make life a lot less rosy for wannabe PYSA hackers and their rent-a-bugs.
The post 5,366,886 Attacks Later, this new Ransomware Bug Has Colleges and Families Reeling appeared first on SafeHome.org.