090120TechSecurityAlertActiveRansomwareCampaignTargetingEDInst

Author
Federal Student Aid
Subject
TECHNOLOGY SECURITY ALERT – Active Ransomware Campaign Targeting Education Institutions

Federal Student Aid (FSA) has identified multiple ransomware attacks that lead to denial of access to sensitive data and systems unless a ransom is paid. Ransomware can have a crippling effect on an institution’s ability to operate until the infection is completely remediated. 

What is happening: Multiple schools have reported that attackers are targeting their institutions with ransomware. Phishing attacks have been used to gain access to account credentials that the attackers then use to install and propagate ransomware across a network. Some institutions have lost access to critical systems and data, impacting their ability to operate.

Why schools are vulnerable to this attack:  Schools are an attractive target for criminals looking for privacy information, research data, financial information, and intellectual property.

How to protect your institution: We strongly encourage each school to strengthen its cybersecurity posture by implementing cybersecurity best practices to include:

  • Establish a data back up process, ensure the backups are available and accessible, and store the backups offline

  • Implement multi-factor authentication to mitigate account compromises

  • Regularly patch hardware and software

  • Continuously monitor institutional network to detect unauthorized access and malware

  • Create and update your Incident Response Plan

  • Ensure training resources emphasize phishing, as it is frequently the compromising entry point for ransomware attacks

Further details on what your institution can do to protect itself are available on the Cybersecurity and Infrastructure Security Agency (CISA) information page on ransomware, located at https://www.us-cert.gov/Ransomware.

If you believe your institution has been targeted, report the incident immediately to cpssaig@ed.gov and FSASchoolCyberSafety@ed.gov. Include the following:

  • Name of the institution

  • OPEID – School Code

  • Date the incident occurred (if known)

  • Date the incident was discovered

  • Technical details of the ransomware (if known)

  • Extent of the impact

  • Remediation status (what has been done since discovery)

  • Institution points of contact

Suggested remediation steps if your institution falls victim to the attack:

  • Preemptively shut off network and systems to limit the spread of the ransomware

  • Bring systems back up only after they have been checked and cleared of infection

  • Block IP addresses that were related to the attack

  • Force reset credentials for potentially affected accounts

  • Perform forensic analysis on server, network, and application logs from recent weeks

  • Restore data from backups

  • Notify law enforcement of the criminal attack

We continue to monitor this situation and will post additional information as appropriate.

Thank you for your attention to this matter. We are committed to working with schools to combat ransomware attacks and protect student financial aid information. If you have any questions about the information included in this announcement, please contact FSASchoolCyberSafety@ed.gov.