Ransomware attacks are now considered one of the biggest threats facing higher education institutions. Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.

In recent years, ransomware attacks have increasingly become more sophisticated, focused, and expensive. Criminal actors behind ransomware attacks now understand that backup infrastructure is typically viewed as an insurance policy for organizations. As a result, attacks are exploiting weaknesses associated with backups, making it a prime target for attack. Organizations can no longer simply rely on encrypting backups as a mechanism to protect the integrity of backups; the attackers’ motivation now seems to be focused on deleting the backups altogether and corrupting the backup system. Several types of ransomware, such as Locky and Crypto, are known to destroy shadow copies and restore point data, making backup infrastructure easy prey for hackers rather than a defensive tool for organizations.


  • Implement user awareness/training mechanisms for potential ransomware, including guidance and communication, newsletters, and participation in phishing simulation exercises (if appropriate)
  • Implement a technical solution to reduce the threat of malicious links/files via e-mail (e.g., Proofpoint or other email scrubbing technologies)
  • Implement a technical solution providing protection of endpoints to prevent and/or detect ransomware attacks ((e.g., CrowdStrike or equivalent solution)
  • Ensure that personal devices connecting to the network do not introduce unknown risk.
  • Select an overall backup strategy that provides redundancy and significant protection from a ransomware event. For example, the best practice of the “3-2-3 rule” would have 3 copies of data (one production and two backup copies), 2 different backup media types, and 3 geographically separate off-site locations
  • Limit user access to appropriate administrator functions such as add/remove/change backup schedule, add/remove assets, and ability to delete backup sets
  • Implement effective vulnerability management processes and controls – e.g., patching systems and identifying potential vulnerabilities on critical systems
  • Ensure that comprehensive ransomware response procedures exist and relevant users are aware of them and can execute them, if needed