#ExpectRansomware

Malicious actors use ransomware attacks to lock users and organizations out of data and infrastructure. They then demand payment to return access and/or not expose affected data. Ransomware can have an immense impact on an organization — from shutting down operations to the loss of years of research data. In 2020, a U.S. Research University paid $1.14 million USD to recover research data.

The Canadian Centre for Cyber Security reported that in the first six months of 2021, ransomware attacks worldwide increased by 151 per cent compared to 2020. In 2021, 1,043 educational institutions in the US were affected by the 88 ransomware incidents. More than half of the incidents resulted in employee-student information being released online.

Due to the current geo-political situation there could be further increase in ransomware attacks that may cause significant damage to the University and its community. It is critical for the University of Toronto units and individuals to understand the risk and be well prepared to prevent and effectively respond to ransomware attacks to limit their impact.

How can we pro-actively reduce the likelihood of a ransomware event?  

There is not one approach that will mitigate all risk. Plans must take into account specific technology, threats, use of data, and ability to enable active protections.

Realistically, it is best to plan equally for protections to prevent a successful ransomware attack and planning in the unfortunate event of a successful attack.

At a minimum, in priority order:

Guidance for Units

Prepare 

Protect Data

  • Ensure there are ransomware resilient backups. This includes testing your backups.
  • Encourage users to use managed data storage, such as Microsoft 365.
  • Review data retention policies. Keep data no longer than needed for business requirements.
  • Perform information risk assessments of all unit systems, starting with systems with high priority research and administrative data to understand specific gaps.

Protect Devices 

Protect Users

  • Promote the use of UTORMFA.
  • Identify users to enroll in Microsoft 365 advanced threat protection.
  • Provide minimum security awareness training for all, and advanced content for expert users, and  simulated phishing for high risk users.

Protect Inter-Connected System

  • If you run your own Active Directory, ensure it is hardened specifically for ransomware attacks.
  • If you run unix-based systems, ensure you are effectively using and managing ssh keys to prevent pivots.
  • Use the least privileged account for any action e.g. limit the use of administrator credentials for non-administrative work. In Active Directory environments, use a Three Tier approach.

Guidance for Individuals

Especially these days of remote work, it is important to treat your personal and professional use of technology in comparable ways.

See detailed guidance at Remote Security Matters.

  • Protect your data
    • Back up your data!
      • Use managed storage services to store your important documents and loved items like photographs.
      • If possible, keep an “offline” copy of files.
  • Protect your devices
    • Use anti-virus software.
    • Ensure all devices are updated regularly for security vulnerabilities.
  • Protect yourself

Resources