back to article Ransomware the final nail in coffin for small university

A December attack against a long-standing US college has pushed the institution to permanently close.  After 157 years, Lincoln College, the rural Illinois university with an average of 1,100 students, is shutting its doors following years of rapid decline triggered by COVID-19 and compounded by the ransomware attack. The …

  1. NoneSuch Silver badge
    Coat

    Their budget was probably limited due to the other issues. However, backups are cheap and some solutions are even free. I worked for a charity at one point with a ridiculous budget, but we never missed a backup.

    1. usbac

      I'm sure "lack of budget" was the excuse for not having any backups. The real reason was most likely "I just can't be arsed to do it".

      As the OP said, there are ways to do basic backups very cheaply is someone is interested in trying...

      If they could afford to pay the ransom, they could have afforded decent backups. These days, $100K will buy a lot of backups! I back up critical data to Amazon Glacier, and my AWS bill is $0.30 per month!

      1. Version 1.0 Silver badge

        Making Backups is a good safety procedure but when Malware invades an institution and gets everywhere then it's a hell of a lot of work to eliminate it and clean absolutely everything before you can start restoring the backed up data. If you are a University then you are a huge collection of different data environments so maybe the data is "safe" but it's going to be months before you can restore everything ... and that's months of being unable to be a University so I understand their response, I don't think they had a choice.

        1. John Brown (no body) Silver badge

          "If you are a University then you are a huge collection of different data environments"

          Or, in this case, a small college calling itself a university and a student count about the size of an average UK secondary school. Having worked with quite a number of UK secondary schools over the years, they all have backup systems in place of one sort or another.

        2. MachDiamond Silver badge

          "If you are a University then you are a huge collection of different data environments"

          .... and should know that it's a really bad idea to tie all of those environments together in a way that one vulnerability takes the whole castle down. If the attack hit just the fund raising data system, it shouldn't be hard to purge and restore. Tedious and time consuming, of course, but achievable.

      2. big_D Silver badge

        It isn't just a case of no backups, a lot of malware groups know about backups and they infiltrate the backup infrastructure as well corrupting/stopping the backups, while the systems still report that the backups worked.

        Even if you are making daily backups, if you aren't regularly checking their validity, you can't be certain have a backup.

        Also, how long were they in the system, before striking? Restore your systems, and they go down again, because it was in the backup somewhere.

        The only safe way is to re-build from fresh media (preferably on fresh hardware, especially disks, but firmware on motherboards can also be compromised), configure and then restore critical data quickly, but not OS or application executables. Then run a thorough check of everything that has been rebuilt and restored, to ensure no known instances of malware are lurking, then bring the systems back online.

        Then you can work through restoring the non-critical data in a slow and safe manner.

        But, how far back must you go? Days? Weeks? Months? If they have been in your systems for months, restoring from yesterday's or last Friday's backups possibly isn't going to help much - depending on how the malware spreads and whether it slowly encrypts non-critical data, for example, before hitting current data and causing everything to go down. That is assuming your backups aren't compromised.

        Without knowing the specifics, you can't just say, they couldn't be bothered with backups...

        1. W.S.Gosset Silver badge

          Spot on.

    2. rnturn

      Re: Having backups

      How far back does an organization have backups. The school could have been infected with the malware long ago and it was only recently activated. What if all your backups contain the malware?

      (Full disclosure: I know a faculty member of the school who recently retired from teaching. Not sure as to his reasons and whether the discovery of the malware and the ransom played a part in his decision to leave but interesting timing on his part.)

      1. doublelayer Silver badge

        Re: Having backups

        That is a risk, but there are methods to disinfect the backups before restoring them. It doesn't guarantee success, but it's still more likely to work than paying for decryption. This works better when the encrypter in use has been analyzed and can be detected on a filesystem.

        1. big_D Silver badge

          Re: Having backups

          This is assuming they didn't compromise the backup infrastructure and they had usable backups and not encrypted blobs that were totally useless...

          1. doublelayer Silver badge

            Re: Having backups

            True, but in order to have usable backups, you have to test them. You should also have cold backups that are kept offline. If you did either of these, the chances are good that you can use them with some work. If you did both of these, you probably have functional backups in that case. You can't encrypt a backup after it's been written to a tape and is sitting on a shelf, and if you encrypted it before it was written, a test will demonstrate this.

      2. usbac

        Re: Having backups

        When recovering from a malware infection, you NEVER restore any executable files. You reload from known good sources, and then restore the data from copies of your backups (after they have been scanned for malware). Your "original" backups should never be placed online for restoration.

        Yes, I know that reloading everything takes time. But, if you have a proper disaster recovery plan, you have full documentation of all of your configurations as well as copies of all software that needs to be reloaded.

        This university should have been able to restore at least their basic admin systems within a few days.

        Paying the ransom only funds more cyber-crime, and needs to be stopped. As long as organizations can just pay the ransom, and go on about their business, this will never stop.

        1. Stuart Castle Silver badge

          Re: Having backups

          Re: "Paying the ransom only funds more cyber-crime, and needs to be stopped. As long as organizations can just pay the ransom, and go on about their business, this will never stop."

          I always wonder why people suddenly trust the people who've just broken in to your systems and encrypted part (or all) of them. Or those who created the software they used.

          They care little enough about you, your situation and data that they are willing to break the law to stop you accessing it. They aren't suddenly going to worry about being less than honest when it comes to helping you afterward.

          Still, when you are a system admin looking at having lost all your company's data and have no other way out, it's probably easy to hope they are being honest.

          1. Steve Aubrey

            Re: Having backups

            "An honest politician is one who stays bought"

            Same for ransomware gangs?

        2. katrinab Silver badge
          Paris Hilton

          Re: Having backups

          My documentation is mostly a set of csh, bash, and powershell scripts to install and configure everything, with some text notes for things that can't be easily scripted.

    3. big_D Silver badge

      Also, where was the disaster recover plan, with the manual steps required to keep the university going, until digital systems were back online?

  2. VoiceOfTruth

    Reading a bit further they didn't seem to get a lot of financial support

    They hoped to raise $20 million vi GoFundMe, but got $777. It's hardly a great endorsement.

    1. Anonymous Coward
      Anonymous Coward

      Re: Reading a bit further they didn't seem to get a lot of financial support

      To keep a small institution like that going you've got to have a unique selling point - ultra selective intake for some specialty (music, medicine etc) or social group (that has either wealthy students or wealthy donors to keep it afloat). It looked to me that they suspected the writing was on the wall before the pandemic, the loss of students because of the pandemic was what finished them off, and the only effect of the ransomware was that they didn't get the business plan bad news sooner. Probably the only salvation would have been a merger with (takeover by) some other Uni, I guess there was no obliging party.

  3. Anonymous Coward
    Anonymous Coward

    Universities seem to be common targets/victims of ransomware and probably for similar reasons. They are all generally early adopters of computers, but often form a poorly managed setup due to the "heading cats" problem of academics with organically grown 1001 unusual computer needs, and the usual problem of limited budgets for actual IT professionals to support it. With both staff and students having internal access it is very easy for malware to get in, and usually the Windows-basis for most stuff and poor network segmentation makes it pretty easy to get around one your phisherman had done their job.

    Sad to see any institution go, but I guess this one must have been on its way down and out long before the attack.

    1. VoiceOfTruth

      -> the Windows-basis for most stuff and poor network segmentation makes it pretty easy to get around one your phisherman had done their job.

      I'm going to stick my oar in here. If you look at the history of some of these universities (not this one in particular), they used to have a lot of in-house experience and knowledge. Using Carnegie Mellon and Cyrus IMAP or Cambridge and Exim as a couple of examples, what did they do? They farmed it out to Microsoft. Whether the staff left or went on to other things is not the point. They basically threw that expertise away. They have become buyers-in of technology, not much different in many respects to home users. The knowledge in-house to say 'wait a minute, that is not a good idea' has gone. And it shows.

      1. katrinab Silver badge

        People at Cambridge for example will undoubtedly have extensive knowledge on the latest programming techniques and so on. That is not the same as systems administration.

        1. doublelayer Silver badge

          A lot of universities that came early to computing knew a lot about administration because they couldn't buy in management of all the equipment. This is why most universities I know about have two essentially disconnected networks: the main one with all the university web apps, campus workstations, and student emails, and the one run by the computer science department, which does all the same things but only for those students and occasionally other important systems. For example, I've seen where the CS admins maintain the HPC systems, even though it's mostly the other sciences using it. There are a few exceptions where, when the universities needed administration, they expanded what they already had, but most appear to have taken a more basic approach.

    2. StewartWhite
      Joke

      "heading cats"?

      I thought herding cats was difficult enough but the "heading cats" problem seems even trickier to me.

  4. Anonymous Coward
    Anonymous Coward

    could I be hearing Queen singing?

    I bear no ill will towards anyone associated with that college, but I think there are many too many colleges and universities in the US, and if 1/2 of them shut down after this semester, I wouldn't care at all.

    1. IGotOut Silver badge

      Re: could I be hearing Queen singing?

      Maybe if you didn't have to have a truck load of cash to go to one, they may be a little more successful. But gotta keep the poor people down

      1. oiseau Silver badge
        Facepalm

        Re: could I be hearing Queen singing?

        ... if you didn't have to have a truck load of cash to go to one ...

        Actually, if college education and student loan corporations were not such solidly established businesses in the US.

        Because ...

        God Almighty forbid that college education were to become a right and/or or subsidised by the federal goverment.

        ie: instead of dealing out tax cuts for billionaires and financial bail-outs from the FED for investment banks who gamble with other people's money and end up losing it all, only to end up giving out millions in premiums to the greedy assholes who caused the mayhem.

        Just a thought.

        O.

      2. To Mars in Man Bras!
        Headmaster

        Re: could I be hearing Queen singing?

        Come to the UK. Since Higher Education became a commodity here, you can get a government loan to go to university. And the admission standards are so low --to keep the punters coming-- that you can pretty much get in just by being able to spell your own name.

      3. Cliffwilliams44 Bronze badge

        Re: could I be hearing Queen singing?

        Its not about "keeping the poor people down"! The university system in America has become a massive gravy train for the Privileged Academia! Every time the government creates another grant or loan program the cost of education goes up! Add to that we've had 40 years of this "everyone needs to go to collage" nonsense in the US coupled with a deliberate decline in the quality of public education. A high school diploma is worthless in the US. We have eliminated all trade training in high schools. Causing this training to be moved to expensive secondary trade schools that 60% of them are crap scam schools.

        The push to get every child into college has resulted in 30% of students dropping out and many of them with debt they have no degree to earn money to pay it back. This isn't some "evil rich corporation no paying their fair share" problem. It is a deliberate policy of the left that funnels money into one of their biggest constituencies and saddles vulnerable people with crushing debt.

    2. david 12 Silver badge

      Re: could I be hearing Queen singing?

      They are shutting down. All the small universities like this one are getting squeezed out and shut down.

      That only leaves Big Education. The Googles and Amazons of the education sector. If this is a good thing or a bad thing is up for debate.

  5. chivo243 Silver badge
    WTF?

    Not the crime of the 60s and 70s

    I remember when you took something hostage or hijacked the plane because they had deep pockets, and you stood to gain from it. This sucks plain and simple. As a native of Killinois, Smellinois call it what you like, I feel bad for Lincoln U. So long...

    1. John Brown (no body) Silver badge

      Re: Not the crime of the 60s and 70s

      Odds are the ransomware gang neither knew nor cared that it was a small institution with barely any budget. From their point of view it was just another "rich American university", and there a juicy target.

  6. Anonymous Coward
    1. doublelayer Silver badge

      Re: Just saying

      This page indicates no CVEs for Z/os. It doesn't indicate that Z/os doesn't have security issues. If it didn't, there would be little use for the portal IBM has for announcing them:

      IBM Z offers a Security Portal that allows clients to stay informed about patch data, associated Common Vulnerability Scoring System (CVSS) ratings for new APARs and Security Notices to address highly publicized security concerns.

      It's possible that IBM doesn't particularly want the publicity of announcing detected vulnerabilities. I cannot see anything important on this portal because I am not a registered customer.

      In addition, a CVE is not needed for ransomware to work. I can log into an account to which I have access and run a program to encrypt stuff. The only vulnerability involved is whatever gave me access to that account, which could be in the user who gave out the credentials, the authentication mechanism that was easier to crack, or the administration process that made obtaining privileges simpler. So if your implication was that this couldn't happen if they used Z/os, you're wrong. It couldn't happen in exactly the way it did as the attackers probably weren't trying for it, but it would have been possible.

  7. Marty McFly Silver badge
    FAIL

    Deflecting blame

    Ransomware makes a convenient scapegoat for the continual mismanagement of higher education. Tuition, room, board was running well over $27k/year at Lincoln. The college offered degrees like "Bachelor of Arts in Jazz Studies". Just what is a graduate going to do with that degree to pay back over $100k in college debt?

    Modern colleges & universities have become a debt-fueled 4-year perpetual party to fill the gap between leaving home and needing to become responsible for oneself. And once that responsibility hits it is quickly followed by the realization that Jazz Studies wasn't such a good investment. Graduates can only move south to New Orleans and get job telling people that 'Grande' means 'Large' while moonlighting with a microphone at a bar a mile from Bourbon street.

    That is where the college failed. Students got smart. They realized the debt + a Bravo Sierra degree got them nowhere.

    (Full disclosure. I graduated some decades ago from a different upper-Midwest small college, and with a more traditional degree. I am sad to watch my alma mater making the same stupid mistakes, blind to the real world outside their campus.)

    1. A Nother Handle
      Coffee/keyboard

      Re: Deflecting blame

      In my infrequent experience of buying big-brand coffee, grande now means regular (which used to be small).

    2. Grinning Bandicoot

      Re: Deflecting blame

      You've closely nailed it in describing it as fraud. Way back when digital meant abacus the loan for R&B plus training were called indentures but were not as onerous. Kid hears that a real talent exists in ceramics - "Go to school -- Get a degree". So the poor snook applies at a college financing the whole thing and in four years and some months has a BFA in one hand and the other a request to establish a repayment plan for the four years. Meanwhile back in the old neighbor his pal goes over to the Mason's Union gets an apprenticeship works his hinny off and at the four is a journeyman making 5 or six time what our BFA will be making for the next few years and without that stinking Albatross of debt about the neck.

      A part that missed was about the conservative planner who saved and planned, tracked trends. In other words had a business plan plan for education. Goes to school and the school raises its fees (and finds a few new ones), texts costs are raised and otherwise manipulated because the most students on loans never see the bill like the planner. The planner who the sort needed is stuck with surrender (get a loan), quit (leave school and toil with the rest of us awhile looking back) or fight on while sinking.

      Along come the POLITICOs. The same ones that created the loan programs who now nod in a sagacious manner and Vote for me and I fix this mess created by __________. It is not your fault (that you did listen to the words of repayment). Vote for me and I will pass legislation saying your degree must be recognized. BUT MOST IMPORTANTLY VOTE FOR ME

      As I was declawing this I wondered what school T. A Edison or George Westinghouse attended?

  8. fpx
    Facepalm

    The article says that it cost them less than $100,000 to restore their systems and that they then faced a budget shortfall of $50,000,000.

    So this is like blaming the mint for the belly explosion.

    1. Kane Silver badge
      Thumb Up

      "So this is like blaming the mint for the belly explosion."

      Waffer Theen Meent?

  9. Zebo-the-Fat

    Question...

    Question.. why is Lincoln College shuttering, what's wrong with shutting? Shuttering seems to be a weird made up word that appeared in the last year or so!

    1. J.G.Harston Silver badge

      Re: Question...

      Shuttering is what you do when you're pouring concrete. Maybe that's what they're doing.

    2. david 12 Silver badge

      Re: Question...

      I think they used to have shutters on homes in the UK, but not so much as in the USA. So when you close up, empty out and lock down the building, one of the last things you do is close the shutters. It blocks the light, but it protects the windows and interior.

  10. quadibloc2

    The Real Problem

    The real problem is that it was possible for the ransomware to operate on the institution's computers.

    It shouild not have been possible for any unauthorized programs to install themselves without seeking permission from the user.

    Why isn't Windows secure? That is the question we should be asking.

    The last time anyone lost data due to ransomware, a hundred years from now, should be a hundred years ago, so that it will be understandable people don't bother making backups for that reason. (They should still make backups for other reaons, like computers being destroyed in a fire or struck by lightning.)

    1. doublelayer Silver badge

      Re: The Real Problem

      You have two problems, both large.

      "Why isn't Windows secure? That is the question we should be asking."

      Why do you assume it's Windows? You can run programs on everything else as well. Those programs can read, write, and delete files which is all you need for ransomware.

      "It shouild not have been possible for any unauthorized programs to install themselves without seeking permission from the user."

      Why do you assume it did? Maybe it got permission from a user who didn't understand what it was. This is quite frequently the mode of initial infection. Alternatively, it could exploit a hole left by a user, such as an open SSH or RDP port with insecure authentication. Do you assume that every infection requires an OS vulnerability to succeed? That happens, certainly, but it's far from the majority.

    2. Cliffwilliams44 Bronze badge

      Re: The Real Problem

      The real problem is not Windows! It's the humans looking out the windows.

      In many of these instances it is either that 1 person or persons as access to ALL the organizations data. It is most often someone who absolutely should not! Some executive level person who only has that access "because they be impotent!" Or it is that inter-computer security is lax or broken. Once after a merger it was discovered that the company we merges with had a Group Policy that made Domain Users administrators of EVERY computer. When I said "This must end" i got an argument that I didn't understand that there are applications that cannot work without Administrator rights. To which I called BS on that and even if you need it you make the USER administrator, NOT EVERYONE!

      It's not just having backups. It a complete security posture. But if you don't secure your biggest risk, YOUR PEOPLE, then you have no security at all!

  11. Pascal Monett Silver badge

    "Was the university doing all it could to secure its systems and users?"

    Probably not.

    I doubt that most Universities have the competent people on the payroll to effectively manage the complexities of such a specific environment. I have not had much dealings with Universities, but every time I have, it was always ad-hoc solutions implemented because they allowed things to work. Security ? The best case answer was "we're talking about reviewing things in the budget meetings, but for the moment, we don't have the money".

    One down, plenty more to go.

  12. MachDiamond Silver badge

    I really love dead trees

    I learned my lesson about backups ages ago. All my important data is backup in a few different ways and none of them via somebody else's system. For things like accounting, I print a session report each day when I close down the software. If I had to, and I did once, I could re-enter all of that data by hand from when my last back up was if I needed to. Important data also gets written to two separate internal drives which is a reason I like computers with room for that. Bugger the all-in-ones with space for one drive. It just means another box for more external drives and another few cables under the desk magnetizing my man parts.

    Paper is a good backup for some things like accounting. Some of us old folks still see the value in paper checks.

    1. Cliffwilliams44 Bronze badge

      Re: I really love dead trees

      "Some of us old folks still see the value in paper checks."

      All the information a criminal needs to steal all your money is on a paper check.

      Routing number and account number! The most dangerous thing you can do is send a check through the mail or give one to someone you don't absolutely trust!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like