Privacy protection. Collage with personal info of African American man holding mobile phone.

Educational institutions have not been excluded from the ransomware epidemic, and stakeholder communications are critical to an effective response. In a typical double-extortion ransomware attack, threat actors demand that victims pay a ransom to decrypt systems and to prevent publication of stolen data. However, with a decline in the number of victims choosing to pay a ransom, threat actors are trying different approaches. Post-attack harassment of victims’ students, employees, board members, donors or other stakeholders was once an outlier pressure tactic but appears to be on the rise among some ransomware gangs, and it is often directed toward victims in the education sector, such as universities/colleges and school districts. Increasingly, threat actors contact their victims’ students, employees or others to expose details about the attack in an effort to force a ransom payment. For educational institutions, this growing trend highlights the importance of promptly providing clear, consistent messaging to ensure that they can frame, if not control, the narrative about the incident.   

Threat actors may contact students and employees using contact information found in the files stolen from an institution’s servers to try to coerce the educational institution to pay a ransom. In these communications, a threat actor may claim to have taken a large amount of sensitive data from the institution. The threat actor may assert that they will publish the data online because the school does not care enough about its students to protect the information. This tactic is designed to pressure a ransom payment by creating a panic within the institution’s community as recipients begin questioning administrators and other personnel about the incident or posting about these messages on social media.

Educational institutions, like any ransomware victims, cannot control what a threat actor will do. But there are measures they can take to be well positioned to mitigate the impact of this kind of threat actor harassment.

As an initial matter, providing clear, accurate messaging to students, parents, employees and other community members puts an educational institution in the best position to avoid negative fallout. When, for example, a student first learns of an incident through an email from a threat actor claiming their personal information will be published to the dark web, they may perceive their school as lacking transparency and might distrust any reactive messages the school publishes. Educational institutions that communicate promptly and proactively with their communities to share information about what happened in the attack and what they are doing in response may be inoculated against the negative effects of such harassment.  

Of course, the timing and accuracy of messaging are keys to maintaining the community’s trust. And rushing a message light on details can undermine confidence if there are questions that cannot be answered. Vague or inaccurate messages downplaying an incident can be similarly damaging. For example, a victim that communicates that student personal information is not impacted would quickly lose their constituents’ faith if a threat actor emails files or images showing that student data was involved. Initial messaging identifying known facts followed by periodic updates can help reassure the community, prevent administrators from being overwhelmed by questions, and serve as a buffer against incomplete or incorrect social media narratives.

The growing possibility that a threat actor may act out by harassing members of a college, university or school district community underscores the need to move quickly and decisively when investigating and communicating about an incident. Proactively engaging with the community to provide accurate messaging about the incident and response efforts can help build trust, demonstrate a commitment to transparency and reduce the negative effects of such harassment. Educational institutions should develop their strategies for internal and external messaging and communications early in the incident response process and keep these strategies updated as their efforts progress. Outlines and sample messages can even be incorporated into an incident response plan. These messages can be tested and refined in tabletop and other incident readiness exercises. Educational institutions that are able to quickly determine what the message will be, who will deliver it, and when and how it will be sent are likely to be well positioned to stay ahead of threat actors that try to pressure ransom payments by harassing their communities.