Dive Brief:
- Ransomware attacks have disrupted the final days of the spring semester for at least two colleges over the past week, Kellogg Community College in Michigan and Austin Peay State University in Tennessee.
- Austin Peay reported a ransomware attack last week, which forced the institution to cancel final exams scheduled for Friday before resuming scheduled finals on Monday, according to the university's latest update. The university has also restored several services, allowing students and employees to start using university computers and plug back into its network.
- Kellogg Community College, meanwhile, notified students and staff that a ransomware attack has been causing technology issues starting Friday. It closed all five campuses and canceled classes as it investigates the incident, and the college initiated a forced password reset for students and employees.
Dive Insight:
The two recent ransomware attacks underscore how disruptive cybersecurity incidents can be to higher education institutions. Austin Peay said in an announcement last week that for classes with exams canceled Friday, faculty would "determine final grades based on coursework up to this point." It has also issued statements saying "canceling exams would create new sources of confusion and stress" and offering assurances graduation will take place May 6 as scheduled.
Austin Peay spokesperson Bill Persinger said in an email that no ransom has been paid, and the university is working with state and local law enforcement. It also enlisted an external firm to determine if any personal data has been compromised.
At Kellogg, officials are hoping to welcome students and faculty back later this week. However, the college's systems will remain offline until its information technology experts deem them secure, college spokesperson Eric Greene said in an email.
Currently, students and employees may experience delays in accessing services, including campus emails and online classes. If the college cannot reopen safely within the week, it will reevaluate the timeline for finals and other student projects.
"We will take any actions necessary for students to complete course work in a timely manner, and appreciate patience and support in the meantime," Greene wrote. Kellogg is in the early stages of investigating the attack and whether personal data has been accessed, and the college has notified law enforcement about the incident.
Several other colleges have been victims of ransomware attacks this academic year, which at times forced institutions to close for days. In one instance, Lincoln College in Illinois — a predominantly Black institution that is permanently closing this May — said that a cyberattack late last year rendered several systems inoperable for months and ultimately contributed to the institution's demise.
"Ransomware is a financially motivated crime, and it's not industry-specific," said Vicki Tambellini, founder and president of the Tambellini Group, a technology research and advisory firm. "While higher education is, of course, visible in the public eye, the ransomware attacks are happening in every industry."
Ransomware attacks doubled worldwide and in North America last year, according to a recent report from SonicWall, a cybersecurity firm. And software company Emsisoft said at least 26 U.S. colleges and universities were hit with ransomware last year.
Colleges can take several steps to shield themselves against these attacks. They include employing network segmentation, a security effort that divides a computer network into smaller parts.
At some institutions, the same network is supporting all major systems, Tambellini said.
"Once ransomware is infiltrated into this, into their system, it will bring the entire network down," she said. "If they haven't segmented their networks — or they haven't had the resources to understand what network segmentation means or why they should do it — they're more vulnerable than institutions that have the segmentation."
It's also important for colleges to have endpoint detection and response software, which can help them identify ransomware and stop it as soon as possible, Tambellini said. Training employees about cybersecurity, such as not clicking on phishing links, can be helpful. And top administrators should have plans in place in the event of an attack, including knowing what their legal obligations are if data is breached.
Colleges should also craft backup and disaster recovery plans. Depending on their plans, institutions could get themselves back online without being held hostage to ransomware crime, Tambellini said.
Otherwise, they may be forced to pay the ransomware attackers. In 2020, for instance, the University of California, San Francisco, paid a ransomware group $1.1 million to regain control of its servers.