Sad teenager crying in school yard showing impact of ransomware attack

Double Blow of Ransomware Attack and Covid-19 Pandemic Shutters 157-Year-Old Lincoln College

Lincoln College, an Illinois Historically Black College & University (HBCU) that was founded in 1865 on then-president Abraham Lincoln’s birthday, has been forced to close its doors after being hit by a crippling ransomware attack. The college had already been facing serious challenges due to loss of enrollment during the Covid-19 pandemic, and a substantial ransomware payment plus remediation costs appear to have been too much additional financial difficulty to overcome.

Lincoln College ransomware attack forces school to close after 157 years of operation

The college had survived the last major pandemic of note, the Spanish Flu of 1918, along with numerous historical adversities such as the Great Depression. It had historically been a small private school, but enrollment had gradually dwindled from 2,361 in 2010 to about 600 after the coronavirus pandemic began.

Already struggling to cover operating costs, the final blow for the school was a December 2021 ransomware attack that crippled systems used for student recruitment, retention programs and fundraising. Employees returned from a two-week break to find that remote hackers had caused the printers to print out ransom notes, with systems locked up by ransomware.

The school says that it paid about $100,000 in ransom to unlock its computers, but did not regain access until March 2022, greatly limiting its ability to enroll new students and raise money for the current academic year. College administrators had been seeking a “transformational donation or partnership” to recover from the ransomware attack and keep the school alive beyond the spring 2022 semester, but did not have time to make it happen. The school’s final commencement ceremony took place on May 8.

As Tim Erlin, VP of strategy at Tripwire, notes: “While there are obviously circumstances beyond the cybersecurity incident at play here, it’s also clear that responding to and recovering from ransomware played a significant role in Lincoln College’s demise. It cost them time, as well as money, to recover. In this case, time was equivalent to the opportunity to perhaps right their ship and save the institution. When you’re already struggling, losing access to operationally important systems for more than a month can easily become a death knell.”

The United States has 107 HBCUs, but relatively few are positioned to serve rural areas; Lincoln College was located between Peoria and Springfield about 167 miles from Chicago. These schools are also strongly concentrated toward the East Coast and the southern states, with only a small handful serving the northern Midwest (and Charles R. Drew University in Los Angeles being the only one west of the Rockies).

The ransomware attack is thought to have originated from Iran, but has not been publicly attributed to a particular threat group or criminal outfit as of yet. Some studies put the average cost of a ransomware attack on a school in the US at about $115,000, roughly on par with what Lincoln College paid, but that does not necessarily account for remediation efforts and lost opportunities that could cost much more. A good example of this is the Baltimore County Public Schools system, which was hit with a ransomware attack in 2019 and ended up spending some $8 million over the course of a year to recover.

Lincoln College part of growing pattern of attacks on educational organizations

While Lincoln College may have taken the most devastating blow of the bunch, it was one of about 1,040 schools in the US hit by ransomware attacks in 2021 (and 26 colleges and universities).

Data was stolen in exactly half of these incidents. Schools are not necessarily the most lucrative target around for cyber criminals, but they are a prime target of opportunity: they tend to have underfunded and understaffed IT teams and defenses, there are more attack vectors with student devices interfacing with school networks, and there is a perception that they will be quick to pay demands to avoid operational disruption. Some schools that have departments doing advanced scientific research are of particular interest to hackers, particularly nation-state backed threat groups engaging in espionage. And even small schools have the payment and identification data of usually hundreds to thousands of students, something that is always valuable to hackers.

Brad Hong, Customer Success Manager for Horizon3.ai, adds some thoughts on why schools are an increasingly popular target for ransomware attacks: “The education sector continues to make for attractive targets as it’s very rare that a university focuses on its cyber security stack as its #1 priority. As the majority of colleges in the US, especially ones who are not focused on protecting the intellectual property of their research institutes, have neither the staff nor the budget to implement next generation cyber tools to combat next generation cyber attacks, the effort to payoff is several tiers lower than any other industry as a whole. With little defense, but high payout monetarily and a huge database of personnel and student personal data, if an attacker is unable to receive payment, the immense amount of human intelligence that can be gathered, especially targeting soon-to-be-workforces, is often enough to satiate the hunger of an attacker. As such, it’s a civic duty for institutes to enforce a strict cyber security process to protect the nation’s next generation of brain trusts … Recent studies have shown that the education sector tied retail for highest level of ransomware attacks, with more than 40 percent saying they were hit by ransomware, 58% had their data encrypted by criminals, 35% paid an average ransom of $112,435, and those who paid were only returned 68% of their data. These staggering statistics paint a picture of educational institutions struggling to float above water as ransomware attack tools become more accessible for criminals. Ultimately, the industry of education as a whole embodies the principle that security and convenience are inversely related.”

From a cybersecurity perspective, schools were also hit particularly hard by the Covid-19 pandemic. They were forced to make a rapid and unexpected transition to all sorts of remote learning services, often not providing enough time to ensure that these new elements were secured properly. The smaller or more rural a school is, the less likely it is to have adequate full-time IT staff tending to its security. The schools are often stuck with paying the ransom demand and hoping for the best as their only realistic outcome, as Lincoln College ended up doing.

What can be done about hard budget realities of this nature? Chris Clements, vice president of solutions architecture at Cerberus Sentinel, notes that staff awareness of expected cyber threats is a huge part of the battle: “To remain safe, organizations must adopt a culture of security that builds cybersecurity awareness and protection into all business operations.  Doing so as early as possible is much easier than trying to retrofit security best practices into mature and diverse environments.  Getting cybersecurity right is a challenging job, but the ever-increasing risk of damage from an attack means that it must be taken seriously to protect organizations from potentially devastating loss.”

However, Dave Cundiff, CISO of Cyvatar, notes that this becomes more challenging (and less realistic) the larger the school is: “The number of users on a campus for a college makes training of the user population difficult at best and proves to be such a large surface area it is almost impossible to insure complete coverage. Segmenting networks to prevent lateral movement from systems which do not need access, and proper preventative policy in place on especially the most critical systems, are going to be the balance between cost and effectiveness. Not every device on a campus needs to have the best prevention software, but the main systems and servers which allow the campus to function should at the very least be covered.”