Following a Freedom of Information (FoI) request from endpoint security firm SentinelOne, it is suggested that 56% of UK universities have been the target of a ransomware attack in the last year.
“One university admitted that it had suffered a total of 21 separate attacks throughout the year,” reads the SentinelOne announcement. No university “confessed to paying a ransom”, while the ransom values “ranged between £77 and £2299 (5 bitcoins).”
“The fact that all but one of those suffering a ransomware attack had an anti-malware solution installed, confirms the abject failure of traditional solutions to protect against the new, virulent strains of ransomware,” concludes SentinelOne’s chief of security strategy Jeremiah Grossman.
But surveys are difficult, and asking the right questions is tricky. Without the right questions, you will always get the wrong answers. It is perfectly possible to look at the published results of the survey and draw a completely different conclusion.
The biggest single error is that the term ‘attack’ does not indicate whether the attack was detected and/or neutralized by installed anti-malware software, or whether it successfully encrypted the victim’s data. There are clues in the results, but nothing specific. For example, an attack would have to be successful for the victim to receive the ransom demand specifying the ransom amount.
According to the survey, only four universities ‘recorded how much was demanded’ (two were for 5 bitcoins, one for 3 bitcoins, and one for $100). Does this suggest that in only four cases the attack was successful? If this is true, it would be misleading to claim the ‘abject failure of traditional solutions’ since those traditional solutions succeeded in stopping 52 out of 56 attacks in the last year. The reality is that neither conclusion can be justified because the survey does not differentiate between being targeted by ransomware and being encrypted by ransomware.
Another ‘clue’ over the success or failure of the attacks can be found in the sheer volume of attacks against some of the universities. Bournemouth University admitted to being targeted 21 times during the year. But Bournemouth also recorded the ransomware demand of $100 — suggesting that at least one of the attacks was successful.
Conventional wisdom is that institutions are specifically targeted with higher ransoms, while consumers are mass-phished with lower amounts. $100 would hardly provide criminal ROI for a targeted attack — in turn suggesting that Bournemouth is an anomaly: it was hit 21 times by a mass ransomware attack (probably along with thousands of consumers) of which just one succeeded. Or it could simply be one student’s response to getting bad grades, doing it out of annoyance rather than to make money. We don’t know. This survey asks neither sufficient nor meaningful questions from which we can derive any meaningful conclusions.
The one positive point — at least for Europol, which says ‘don’t pay’ — is that none of the universities actually paid a ransom. Sadly, we cannot even draw that conclusion.
“Of the 71 universities contacted by SentinelOne, thirteen refused to answer because their response could damage their commercial interests,” says the report.
It is very tempting to suggest that nothing in this survey could damage ‘commercial interests’ more than publicly admitting to having been hacked. It is quite possible to suggest that rather than 0% of UK universities have paid a ransom, 18% have done so.
The reality is that there is not enough information in this survey to come to any conclusion about the prevalence and effect of ransomware in UK universities.