Just three days after the Cybersecurity and Infrastructure Security Agency (CISA) warned of ransomware attacks over holiday weekends, Howard University was hit with one over Labor Day weekend.
And six days later the entire University is still trying to recover.
Howard was forced to cancel all classes on Tuesday, September 7th, after its IT team discovered "unusual activity" on the university's network. The physical campus is currently closed to everyone except essential workers.
The university says it is working with Enterprise Technology Services (ETS) to mitigate potential criminal activity and made the decision to shut down the university's network.
In a statement regarding the situation, the university says that cloud saved the day for some:
"Campus Wi-Fi will remain down until we determine the best and safest path to stand it up. Some applications are stored in the cloud and will remain active and accessible. You will be able to access them in the usual manner. If you are not able to access apps, please know that it is an intentional effort being performed by ETS, and there is no reason to call the Help Desk to try to get it up and running."
That last line is an interesting strategy to try to reduce workload at the help desk, isn't it?
So far, the investigation has found no evidence that personal information was accessed or exfiltrated.
One of the more challenging aspects of handling a ransomware attack is how the organization communicates the unfortunate news to its employees, customers, investors, etc.
The affected stakeholders want a swift response, especially when it involves something like taking down the entire network, as Howard has chosen to do. But the reality is it will take days, weeks, or even months to appropriately mitigate the attack.
CISOs might want to take note of the wording Howard's COO used in his message:
"ETS and its partners have been working diligently to fully address this incident and restore operations as quickly as possible; but please consider that remediation, after an incident of this kind, is a long haul—not an overnight solution."
It is important to let your people know you are doing all that you can, but ransomware attacks are complex and take time to sort out. If they were so easy to remediate, you wouldn't hear about a new one every single day.
The communications around the incident also spell out the cadence that students and faculty can expect on future communications.
"Each day at 2 p.m., we will let you know the status of campus operations for the next day."
The COO also took time to put the incident into perspective:
"This is a moment in time for our campus when IT security will be at its tightest. We recognize that there has to be a balance between access and security; but at this point in time, the University's response will be from a position of heightened security."
The university says all in-person classes have resumed, but online and hybrid classes remain suspended, as the school works through its emergency management response.
Faculty who teach hybrid and remote classes have been instructed to remain remote, as no Wi-Fi is available in six of the eight dorms on campus.
The university's COO provided this message to the campus community:
"We are continuing our full assessment of all University academic, communications, and service systems for vulnerabilities. Our response committees are currently developing an isolated server environment that will allow protected online and hybrid instruction.
Faculty, staff, and students should soon expect audits concerning devices and access credentials associated with University work and operations. These audits will require sweeping of phones, laptops, and other digital work tools, which may be susceptible to data breaching. All University usernames, email addresses and other login credentials will be verified for authenticity, access privileges, and activity.
We will continue to keep you updated on expected timelines for the restoration of campus wireless access. We are working on standing up WiFi in the safest environment possible."
[RELATED] Join the upcoming SecureWorld Remote Sessions webcast, Your Ransomware Hostage Rescue Guide. The session will look at scary features of new ransomware strains, give actionable info that you need to prevent infections, and provide tips on what to do when you are hit with ransomware.