Education needs to study up on fighting ransomware

Schools rank worst at ransomware hit rate, security in general, study says.

It should surprise no one that ransomware is on the rise, but it may be news that education -- not healthcare -- is outstripping other industries for rate of infection, according to a study by security ratings firm BitSight.

Organizations in education had the highest rate of infection, with at least one in 10 experiencing ransomware on their networks, according to “The Rising Face of Cyber Crime: Ransomware” report.

The study looks at businesses in finance, retail, healthcare, energy/utilities, government and education, which are listed in order from best to worst for ransomware infection rate. Education’s score is far behind that of the others, more than double that for government. The rate ranges from 13% of those in education down to 1.5% for those in finance.

MORE: FBI urges ransomware victims to come forward | Be careful not to fall for these ransomware situations

They rank in the same order when it comes to overall security posture, the study says.

Based on media coverage of healthcare ransomware incidents (See: “Three more hospitals hit with ransomware”), it might seem that healthcare is hit harder than education, but that is not borne out by the BitSight study. The company used data it gathers to provide security ratings for various industries.

For this study, it focused on just five, analyzing data from 18,996 individual businesses.

“The overall rate of ransomware has more than tripled, and in some cases increased 10fold, for many industries over the last 12 months,” BitSight found. Education and government show the steepest increases.

The biggest ransomware menace is the Nymiam strain that affects education the most, with more than 11% of institutions having it on their networks. Nymaim is the also the most prevalent strain of ransomware in three other industries examined, but below a 4% infection rate. The exceptions are retail and finance, which are dominated by Locky, but at a rate below 2%.

Nymaim is commonly associated with ransomware, but is also a Trojan capable of installing a range of malware, the study says. Masnu, the third most common ransomware, can also download other malware.

Locky is the fastest growing strain, having been discovered less than eight months ago and already ranking number two overall for prevalence in the industries examined, BigSight says.

+ MORE: Tricks that ransomware uses to fool you +

This is how BitSight defined its research methodology:

BitSight collects and processes vast amounts of data in order to provide the industry standard in Security Ratings. The foundation of this research is built on our ability to accurately identify security events and attribute them to companies, which in turn, enables aggregation across industries. We determine this attribution by identifying the CIDR (Classless Inter-Domain Routing) blocks, domains, and AS (Autonomous System) numbers that organizations own, and then observing the outbound connections from ransomware originating from those organizations’ assets. Customer research shows that our team constructs maps with greater than 95% accuracy, even for companies with hundreds of thousands of IP addresses.

“Using a patented network mapping process, BitSight has mapped more than 54,000 companies. For this study, we focused on six industries, analyzing 18,996 organizations across Finance, Healthcare, Education, Energy/Utilities, Retail, and Government. We measured ransomware infections using data collected and aggregated from several sources. We monitored ransomware infections emanating from these industries using data collected over the last 12 months from organizations that BitSight has mapped and curated. It is important to note that although we can confirm the existence of ransomware infections, we cannot confirm if files within an organization were encrypted or whether or not a ransom was paid.”

MORE: Cisco: Potent ransomware is targeting the enterprise at a scary rate

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place