School will not be in session Tuesday at Washington, D.C.’s Howard University, after the HBCU (Historically Black Colleges and Universities) was hit by a suspected ransomware attack on Friday that forced the school to shut down internet service across the campus.
The school powered down its networks in order to investigate a cyberattack after the University's IT teams “detected unusual activity” the Friday before Labor Day weekend, prompting the school to take “many of our university systems offline,” the school said in a statement.
It was not clear how long classes will remain canceled or how long the school’s wifi will be inaccessible, but the university warned in a statement that “remediation, after an incident of this kind, is a long haul—not an overnight solution.”
One thing is clear, however: As students head back to school this fall, COVID-19 isn’t the only thing that could get in the way of classes resuming normally.
Ransomware gangs, which frequently go after educational institutions because of their slack IT infrastructure and budgets, lock up victims’ computers and often demand they cough up hefty ransoms before they help them unlock their machines. In recent years, ransomware gangs have increasingly relied on stealing sensitive data from targets and threatening to sell or go public with the information in order to ensure victims pay up.
Crippling ransomware attacks have been launched in recent months against meat supplier JBS, Colonial Pipeline, and even U.S. hospitals. In August, an Indianapolis hospital was forced to turn away ambulances and divert patients to other facilities after an attack.
Howard is at least the nineteenth college or university attacked by ransomware hackers in 2021, according to Allan Liska, an intelligence analyst at security firm Recorded Future.
“Schools have always been a prime target for ransomware attacks. But since 2020, ransomware groups have been looking at colleges and universities as a way to get bigger payouts,” Liska told The Daily Beast. “And, unfortunately, because of the nature of these networks, college and universities have a large and often poorly secured attack surface.”
Brett Callow, a threat analyst at the security firm Emsisoft, told The Daily Beast that other schools—including K-12 schools—should be on alert for ransomware shutdowns in the coming days as well, since ransomware attacks tend to spike in the third quarter.
“It’s a strategy intended to maximize the criminals’ chance of obtaining a payout. If they were [to] strike in advance of Q3, schools would have the summer break to recover,” Callow told The Daily Beast. “When students are back in classes or about to go back, schools are under pressure to resolve incidents quickly—and that may mean they’re more likely to pay.”
It’s not clear what systems, if any, the hackers themselves locked up successfully at Howard. Howard said it “intentionally” shut down the school’s network so it could investigate the attack, which aligns with language some victims of ransomware attacks sometimes use to indicate the hackers didn’t get very far, or that they have isolated the ransomware from spreading across networks. But the full impact of the attack remains unknown. Howard University said it is working with the FBI to investigate the full scope of the breach.
Ransomware hacking gangs are more successful at locking up systems in the education sector than in other industries, according to data from security researchers at Sophos.
“Generally, when schools cancel classes, it means at least some critical systems were locked up by the ransomware actors,” Liska told The Daily Beast. “We’ll know more in the coming days, but that is usually the case.”
The university said there is no evidence that the hackers accessed or stole personal information from Howard so far. But the investigation is ongoing and it is too soon to know for certain whether the hackers pilfered any personal information, experts told The Daily Beast.
Howard University did not immediately return a request for comment about whether Howard University Hospital has been affected by the ransomware attack.
Howard is expected to give an update on the investigation at 2 p.m. ET.
—Updated throughout at 12:51 p.m.