Howard University Ransomware Attack: Investigation and Network Recovery Updates
Howard University has been hit by a ransomware attack that prompted school officials to shut down its network and cancel online and hybrid classes scheduled for Tuesday, September 7 and Wednesday, September 8, 2021.
Howard University is a private, historically black research university in Washington, D.C., that serves roughly 9,500 undergraduate and graduate students
On Friday, September 3, 2021, just ahead of the Labor Day weekend (Sept. 4-6, 2021 in the U.S.), the school’s IT team detected “unusual activity” on its network. The University’s cyber response protocol directs its internal IT systems team to power down the network in the event of a cyber incident, which it did, officials said.
Howard University Ransomware Attack: Investigation Details
At this early point in its investigation, there’s no evidence that the hijackers have accessed or exfiltrated any personal information, Howard said. However, the mechanics of the attack, who might have launched it, how the hackers gained access and the full extent of the damage are unclear. University officials said protecting all sensitive personal, research and clinical data is a top priority.
“The situation is still being investigated, but we are writing to provide an interim update and to share as much information as we safely and possibly can at this point in time, considering that our emails are often shared within a public domain,” Howard said. “Based on the investigation and the information we have to date, we know the University has experienced a ransomware cyber attack.” Officials did not mention if the hacker(s) had left a ransom note or detail the terms to restore the University’s systems.
Going into the holiday weekend, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) strongly warned all organizations to be on the alert for ransomware attacks launched before or during the three-day period. While neither agency had any specific information of an impending attack, opportunistic ransomware hijackers have previously struck ahead of holiday weekends when MSSPs, internal security staff and admins may not be on duty.
Howard University Ransomware Attack: Forensic Consultants Hired
MSSPs should note: Howard was quick to point out that it has called upon “external forensic experts” to investigate the incident and assess the potential damage, suggesting that it may be working with cyber response providers and/or MSSPs serving the education sector.
In addition to engaging with third-party security specialists, Howard has notified federal law enforcement and city government of the cyber hijack. “We recognize that there has to be a balance between access and security but at this point in time, the University’s response will be from a position of heightened security,” officials said. “Please consider that remediation, after an incident of this kind, is a long haul not an overnight solution.
In the last four months, a rash of ransomware attacks have hit critical infrastructure and other targets immediately prior to holiday weekends. Example attacks include:
- July 2, 2021: The Kaseya VSA ransomware attack, carried out by the REvil ransomware group, surfaced just as IT administrators and MSSP staff members were likely heading out for the July 4th extended weekend in the United States.
- May 31, 2021: Meat supplier JBS was attacked over the U.S. Memorial Day weekend by the Sodinokibi/REvil ransomware crew that affected U.S. and Australian meat production facilities and resulted in a complete production stoppage.
- May 7, 2021: Leading into the Mother’s Day weekend, energy supplier Colonial Pipeline discovered it had been victimized by a devastating attack carried out by the DarkSide ransomware cyber crew. The hijack resulted in a week-long suspension of operations and threatened gasoline and fuel distribution across the U.S. east coast.