Potential Higher Ed focused Ransomware attacks

[Brian Kelly <bkelly () EDUCAUSE EDU>]

The EDUCAUSE Cybersecurity Program would like to alert our community to a recent attack at a member institution. 
Identification of the threat actor indicate a connection to a known ransomware attack group and actions seen by the 
institution are often a precursor to a ransomware attack. The member institutions consulted with [Law Enforcement] 
Authorities during this incident, who believe the perpetrators may be an emerging threat group focusing on Higher 
Education or a previously existing group who is now targeting Higher Education.



The overview below was provided by the impacted institution, who was able to detect and mitigate the attack before the 
attacker was able to deploy ransomware.  The tools and techniques closely followed the PYSA/Mespinoza Ransomware 
playbook  https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/



Overview - The threat actor, using stolen credentials of a former student (dormant account) gained access to the campus 
Citrix environment. The threat actor then escalated privileges, gaining access to a domain privileged account, and set 
up persistent access.  Approximately one month later the threat actor used a system privileged account to gain access 
to campus Domain Controller, deploying various hacker tools including MimiKatz to collect the entire directory of 
campus credentials including encrypted passwords for offline cracking. The campus was alerted when virus protection 
software detected malware/tools activity.



At this point, the campus was unaware of the source account, and the threat actor retained access via the former 
student account. During the ensuing month, the threat actor continued access to campus systems conducting 
reconnaissance to regain privileged access. The institution put added monitoring in place, and roughly one month later, 
the campus was alerted to the threat actor (via added monitoring); again, they disabled relevant accounts; and took 
further actions to investigate and remediate. The campus engaged a third-party forensic firm, and the full course and 
extent of compromise was determined.



The campus had begun a multi-factor authentication (MFA) roll out but had been hampered by COVID pandemic impact.



Within a two-week period, the campus was able to “virtually authenticate” and enroll all faculty, staff, and students 
(more than 18,000 individuals total) into their MFA program prior to a complete rebuild of the Domain Controller and 
Active Directory infrastructure and ejection of the threat actor. Subsequent actions by threat actor revealed over 
5,000 later attempts to re-compromise the campus network.



Key issues found that contributed to “success” of threat actor and should be reviewed at your institutions:

·         Dormant student user accounts (not disabled)

·         Lack of tiered security model to protect core infrastructure

·         Weakness in Domain Privileged Account Passwords

·         Lack of MFA

·         Availability/use of obsolete encryption protocol (RC4)

·         Unlimited access to virtual desktop environment



At this point, We are unable to provide additional details. I will provide more information as allowed.



If you wish to discuss this incident or indicators at your institution that might be related, please utilize the 
REN-ISAC OPS discussion list for greater confidentiality.

Impacted institutions are encouraged to contact the REN-ISAC's SOC 24 x 7 Watch Desk at +1 317-274-7228 and/or soc () 
ren-isac net .



Guidance and resources from NIST



NIST's National Cybersecurity Center of Excellence (NCCoE)—in collaboration with members of the business community and 
vendors of cybersecurity solutions—has built example solutions to address the data integrity challenges posed by 
ransomware and other destructive events. These are described in NIST Special Publication (SP) 1800-25, Data Integrity: 
Identifying and Protecting Assets Against Ransomware and Other Destructive 
Events<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDIsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTI1L2ZpbmFsIn0.GqwV6ZxZ610_GULfg6yEhUqXI21ZPfWx4kSIPySksZk%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336105609%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=27u2%2Ft1%2BvYtVL3KmNkJM9XsfEh9UAU0GuJxw0eFNNhA%3D&reserved=0>,
 and SP 1800-26, Data Integrity: Detecting and Responding to Ransomware and Other Destructive 
Events<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDMsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTI2L2ZpbmFsIn0.-RgO9ql1HqRDJYby9U6AjGy2rYaimxdnnOrJY4689fQ%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336115605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kjAv%2BzhoTE%2FeitT3hBOork%2BioEFmpQkSJpPEW3YCU3o%3D&reserved=0>.

Ransomware, destructive malware, insider threats, and even honest user mistakes present ongoing threats to 
organizations. All types of data are potential targets of data corruption, modification, and destruction.



Formulating a defense against these threats requires thorough knowledge of the assets within the enterprise and 
protection of these assets against data corruption and destruction. Furthermore, quick, accurate, and thorough 
detection and response to a loss of data integrity can save an organization time, money, and headaches.

These two new publications complement SP 
1800-11<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTExL2ZpbmFsIn0.eS4YJinnjPe9nFPQlOeZhK3yIVjryfoxPW_-XybFIrY%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336125602%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DXY2zcpvmfBXM0oTCj6X8EKBZ0weM77vL0VEXh8hIRY%3D&reserved=0>,
 which addresses recovering from ransomware and other destructive events. For more details and links to related 
efforts, see the Data Security program 
page<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDUsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL3d3dy5uY2NvZS5uaXN0Lmdvdi9wcm9qZWN0cy9idWlsZGluZy1ibG9ja3MvZGF0YS1zZWN1cml0eSJ9.2OvBKwCAjoEcIYs3Ic96V8fs4MCu_nBgjeZ9tZeVXYM%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336125602%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=h1zX8htJvrveX67vXumkqQq90XIfidJbzKIKVAMnGlg%3D&reserved=0>.



SP 1800-25:
https://csrc.nist.gov/publications/detail/sp/1800-25/final<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDYsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTI1L2ZpbmFsIn0.VrvXO59P18qLwLUHo5KReDVn_SW2AH0nmL43ziMDrho%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336135592%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Hp2iM%2Fj8f9HA8jU1qfNtyVDIskIVY53cJrGibmdDQJo%3D&reserved=0>

SP 1800-26:
https://csrc.nist.gov/publications/detail/sp/1800-26/final<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDcsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTI2L2ZpbmFsIn0.xO5Jn6ZsvzJa5kpGLSkLFKnPYgXgFf5sjKsl9HIs5Nw%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336145587%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AZxz4z7cWaeAmft9TRp7hITrAyx7Z%2FBo6e0hU%2BRZBdA%3D&reserved=0>

SP 1800-11:
https://csrc.nist.gov/publications/detail/sp/1800-11/final<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDgsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTExL2ZpbmFsIn0.dwdmvyAZ_pWm6K3WVnqxhwyISrW-7Vq9Ndjag3rOLaQ%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336145587%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pdC3ygPk8Rew%2FQzyG%2Byv2aq5hNwOYVSle1meFLTuWc4%3D&reserved=0>

Data Security program page (NCCoE):
https://www.nccoe.nist.gov/projects/building-blocks/data-security<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDksInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL3d3dy5uY2NvZS5uaXN0Lmdvdi9wcm9qZWN0cy9idWlsZGluZy1ibG9ja3MvZGF0YS1zZWN1cml0eSJ9.4tlWvC5iMnIGfzW0lt4Kf3Ak-5WjcE6jgoUNlT0cXV8%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336155583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t525RmVGdfV7fTEl9cz2hypXY%2B1iOAF2v2OuhSQkOt0%3D&reserved=0>



Additional EDUCAUSE resources

https://library.educause.edu/resources/2019/10/national-student-clearinghouse-playbooks

https://er.educause.edu/blogs/sponsored/2020/6/higher-ed-ransomware-playbook



Brian

Brian Kelly, CISSP, CISM, CEH
Director, Cybersecurity 
Program<https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program>
bkelly () educause edu<mailto:bkelly () educause edu>

EDUCAUSE
Uncommon Thinking for the Common Good
Follow HEISC on 
LinkedIn<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7C%7C7197d41189e4414981ae08d69dc9670a%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636869885680898966&sdata=%2FYvU%2BLTYHbPmcyL1AoksiKTSdMeFQ93qASFmTp8Emmo%3D&reserved=0>
 | Twitter: @HEISCouncil

direct: 475.449.6440 | educause.edu<http://www.educause.edu/>
1150 18th Street, NW, Suite 900 Washington, DC 20036





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community