Education needs to study up on fighting ransomware

It should surprise no one that ransomware is on the rise, but it may be news that education — not healthcare — is outstripping other industries for rate of infection, according to a study by security ratings firm BitSight.

Organizations in education had the highest rate of infection, with at least one in 10 experiencing ransomware on their networks, according to “The Rising Face of Cyber Crime: Ransomware” report.

The study looks at businesses in finance, retail, healthcare, energy/utilities, government and education, which are listed in order from best to worst for ransomware infection rate. Education’s score is far behind that of the others, more than double that for government. The rate ranges from 13% of those in education down to 1.5% for those in finance.

MORE: FBI urges ransomware victims to come forward | Be careful not to fall for these ransomware situations

They rank in the same order when it comes to overall security posture, the study says.

Based on media coverage of healthcare ransomware incidents (See: “Three more hospitals hit with ransomware”), it might seem that healthcare is hit harder than education, but that is not borne out by the BitSight study. The company used data it gathers to provide security ratings for various industries.

For this study, it focused on just five, analyzing data from 18,996 individual businesses.

“The overall rate of ransomware has more than tripled, and in some cases increased 10fold, for many industries over the last 12 months,” BitSight found. Education and government show the steepest increases.

The biggest ransomware menace is the Nymiam strain that affects education the most, with more than 11% of institutions having it on their networks. Nymaim is the also the most prevalent strain of ransomware in three other industries examined, but below a 4% infection rate. The exceptions are retail and finance, which are dominated by Locky, but at a rate below 2%.

Nymaim is commonly associated with ransomware, but is also a Trojan capable of installing a range of malware, the study says. Masnu, the third most common ransomware, can also download other malware.

Locky is the fastest growing strain, having been discovered less than eight months ago and already ranking number two overall for prevalence in the industries examined, BigSight says.

+ MORE: Tricks that ransomware uses to fool you +

This is how BitSight defined its research methodology:

“BitSight collects and processes vast amounts of data in order to provide the industry standard in Security Ratings. The foundation of this research is built on our ability to accurately identify security events and attribute them to companies, which in turn, enables aggregation across industries. We determine this attribution by identifying the CIDR (Classless Inter-Domain Routing) blocks, domains, and AS (Autonomous System) numbers that organizations own, and then observing the outbound connections from ransomware originating from those organizations’ assets. Customer research shows that our team constructs maps with greater than 95% accuracy, even for companies with hundreds of thousands of IP addresses.

“Using a patented network mapping process, BitSight has mapped more than 54,000 companies. For this study, we focused on six industries, analyzing 18,996 organizations across Finance, Healthcare, Education, Energy/Utilities, Retail, and Government. We measured ransomware infections using data collected and aggregated from several sources. We monitored ransomware infections emanating from these industries using data collected over the last 12 months from organizations that BitSight has mapped and curated. It is important to note that although we can confirm the existence of ransomware infections, we cannot confirm if files within an organization were encrypted or whether or not a ransom was paid.”

MORE: Cisco: Potent ransomware is targeting the enterprise at a scary rate