• Netenrich
  • /
  • ...
  • /
  • Cybersecurity Threats Targeting Educational Institutions
Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

Cybersecurity Threats Targeting Educational Institutions

Don't be a hostage. KNOW how.

Tanuj Mitra
Post by Tanuj Mitra Jan 05, 2021

Educational institutions are a data goldmine. They collect more sensitive information about their students, alumni, and employees than other companies do about their customers. From personally identifiable information (PII) such as social security numbers and addresses to payment information and health records. With remote access norms, thousands of individuals are connected to online portals across a multitude of devices during all times of day and night.  This has resulted in more cybersecurity threats. Top educational institutions are becoming prone to vulnerabilities. They’re frequently falling victim to sophisticated data breaches due to malicious outsiders, policy blind spots, or even human error.

In 2019 alone, the likes of Stanford University, Georgia Tech, and education software developer Pearson have all suffered data breachesGeorgia Tech, for instance, witnessed a staggering 1.3 million in exposed records. 

These findings highlight the need for organizations to receive real-time threat intelligence to stay on top of the latest cybersecurity threats targeting their industry. They need to consider taking steps to prevent attacks from occurring in the first place and getting to KNOW would be a good start. 

Download eBook: Smarter Operations For Smarter Security

KNOW about cybersecurity threats that made headlines 

Per sources, the number of ransomware attacks increased by 388% in the third quarter of 2020. The education sector recently reported 31 ransomware incidents. That’s a 400% increase over the 8 incidents that occurred in Q2. Nine ransomware attacks involved data exfiltration. It’s tactic that has become common with ransomware gangs over the past years. 

This isn’t the first time that security researchers documented a massive jump in ransomware attacks. In 2019, the number of crypto-malware infections grew from five in Q2 to 51 in Q3. That’s a shocking 1020% growth. 

In analyzing the findings, security experts reasoned that threat actors had likely spent several weeks within the victim’s networkThey waited for the “right moment” to maximize the impact of such attacks. In the education sector, the “right moment” is the start of the school year. 

Right before Q3, threat actors try to inflict maximum chaos. They apply pressure to districts which are more inclined to pay the ransom to quickly minimize disruption and restore system access. This strategy was particularly effective in 2020, with so many districts relying heavily on systems to facilitate distance learning during the pandemic. Here are three ways in which educational institutions can experience disastrous data loss:  

  1. Portable devices with weak data protection policies experience network infiltration. 
  2. Diversoperating systems and devices that students inevitably connect to an institution’s network or online portals. There is no centralized platform that can work across several systems and thwart risks. 
  3. Sensitive data and transparency are crucial for data protection strategy. Institutions must know what they need to protect. 

Netenrich’s free and comprehensive threat intel platform, KNOW, collects intelligence from technical sources and billions of data points across several million online sources and open-source threat intelligence (OSINT). 

Receive critical context for immediate action, monitor active & relevant cybersecurity threats, and get the latest threat intelligence news and look up indicators directly from your mobile phone. 

Is Your SOC Intelligent?

KNOW how to not be a hostage 

Let’s identify cybersecurity threats impacting the education sector. 

#1 Ryuk 

Ryuk ransomware first appeared in August 2018 and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections during the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts. Ryuk itself possesses functionality that you would see in a few other modern ransomware families. This includes the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups. 

Ryuk intel from KNOW  

  • Vulnerabilities: CVE-2020-1472 
  • Risk rules triggered: 7 out of 48 rule(s) triggered 
  • Recently Linked to Threat Research – 6 sighting(s) 
  • Recently Linked to Intrusion Method – 35 sighting(s) 
  • Historically Linked to Threat Actors – Wizard SpiderUNC1878FIN6GRIM SPIDERMixMasterHidden Cobra
  • Recent Sandbox Sighting – 20 sighting(s)
  • Historically Linked to Intrusion Method – 99 sighting(s)
  • Historically Linked to C&C Server – 1 sighting(s)
  • Historic Sandbox Sighting – 341 sighting(s) 

cybersecurity threats ryuk intel


Doppelpaymer is a ransomware family that encrypts user data using RSA-2048 and AES-256 encryption algorithm and later on asks for a ransom of 100 Bitcoins to restore original files. It’s mainly targeting the city of Torrance in California’s Los Angeles County. This ransomware not only locks companies out of their computer systems by encrypting files but also can exfiltrate company data and use it as collateral. It appends .locked extension to each of the encrypted files, while newer variants mark data with .doppeled appendix. 

Doppelpaymer intel from KNOW 

  • Risk rules triggered: 5 out of 48 rule(s) triggered 
  • Recently Linked to Threat Research – 4 sighting(s) 
  • Historically Linked to Threat Actors – Evil Corp, TA505, Indrik Spider 
  • Historically Linked to Intrusion Method – Brute Force, Data Exfiltration, Spear Phishing, Data Breach, Security Breach, Data exfiltrate, and Double Extortion 
  • Historic Sandbox Sighting – 25 sighting(s)
  • Most recent reference: Any Run Sandbox result for DoppelPaymer.RANSOM 

cybersecurity threats doppelpaymer intel

#3 Sodinokibi 

Sodinokibi, also known as REvil, is a ransomware-as-a-service (RaaS) model, discovered in April 2019. Its multiple infection vectors include exploiting known security vulnerabilities and phishing campaigns. Sodinokibi encrypts a user’s files and can gain administrative access by exploiting a vulnerability in Oracle WebLogic CVE-2019-2725. 

  • Risk rules triggered: 7 out of 48 rule(s) triggered 
  • Recently Linked to Intrusion Method – Credential Stealing
  • Historically Linked to Threat Actors – Carbanak, Gold Southfield
  • Recent Sandbox Sighting – 29 sighting(s)
  • Most recent reference: Any Run Sandbox result for Sodinokibi.exe
  • Historically Linked to Intrusion Method – Double Extortion, Phishing, Data Exfiltration, Spam, Phishing Campaign, Exfiltrate data, Data exfiltrate
  • Most recent reference: The Gootkit information-stealing Trojan has once again surfaced a year later joining REvil Ransomware in a new campaign to target WordPress sites in Germany.
  • Historically Linked To C&C Server – C&C Server
  • Historic Sandbox Sighting – 1178 sighting(s) 

cybersecurity threats sodinokibi intel

Security for education – Simplified 

Netenrich has helped thousands of customers gain a powerful combination of Threat and Attack Surface Intelligence – led by machines and powered by security experts. We also make it easy with rapid onboarding to “security-first” managed and SaaS-based solutions backed by proven expertise. 

Watch How Intelligent SOC Makes SecOps Smarter

Working with us can help you: 

  • Identify hidden risks to your institution on the public Internet
  • Gain information about cybersecurity threats in a minute versus hours
  • Act on the most critical threats first
  • Increase agility with modern Ops for modern networks and applications
  • Trade blind spots for unified visibility
  • Shift spend from Ops to transformation with AI freeing experts to do expert things 

Our Intelligent SOC solutions help find and plug the holes in your digital attack surface. Try Netenrich’s Resolution Intelligence now! 

Tanuj Mitra

About the Author

Tanuj Mitra

Tanuj is a storyteller whose ideas and snackable insights are in-sync with dynamic IT operations and modern networks. He likes to develop content that's smartly worded, clutter-breaking, and easy to digest.

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Feb 24 2021

What Makes the SOC “intelligent” Part II? Assessment, Pen Te

A proactive and resolution oriented soc...

Read More
Feb 10 2021

What Makes the SOC “Intelligent” Part I: Detection, Response

Your security operations center deserves nothing b...

Read More
Jan 25 2021

Right-sizing SOConomics Part III: Demonstrating Value

Netenrich Intelligent SOC speeds response while al...

Read More