If the data is worth paying a million dollar ransom to unlock, it is worth setting up proper backups. I for one am grateful to people who commit these crimes in which they "lock" data in place rather than sell it to the highest bidder.
Proper data hygiene isn't brain surgery. There is zero excuse for this event. I don't blame the criminals. I blame the university system. Shame!
... "lock" data in place rather than sell it to the highest bidder.
Why not both? And once the rightful owner of the data has paid a fat ransom, surely that's got to provide some kind of proof of its market value. The University did say that
The attackers obtained some data as proof of their action
so unless they're logging their outbound traffic, who's to say they didn't exfiltrate all of it? It's the kind of thing that the University would remain tight-lipped about unless they were either sure that it hadn't happened (doubtful, seeing as they aren't running a tight ship) or had some kind of mandatory reporting obligation for the data.
The data is worth that much to the university because they're critical to grant continuity - it'll be hard or impossible for their researchers to keep the money flowing without it. It's pretty much useless in everyone else's hands because those grants also depend on individual reputation and research history.
Proper data hygiene at large enterprise levels is, in fact, exceedingly difficult.
Creating a hermetically sealed IT environment where only way to exfiltrate data that remains is the employees eyeballs is definitely possible and is increasingly done well by a lot of large organizations.
Defending against insider threat (malicious employees) is still a challenge for most civilian (non-military) organizations.
Don’t entirely disagree, but also think it’s fair to say they almost certainly use the stolen data to find weaknesses in their next targets, so it’s not just a one to one thing. This doesn’t at all negate the main statement: good motivation to actually do proper backup and security.
Depends, those kinds of outfits tend to poke around and lurk a while before striking. In that time they can exfiltrate and you cannot prove that the baddies didn't exfiltrate data (if you had that sophistication, they wouldn't have been in the mess they got into).
Optimistic counterpoint: a high-profile, (relatively) high-value ransom payout like USC's may incentivise other orgs vulnerable to this kind of attack to take steps to prevent this kind of issue.
Anything from restricting program capabilities/permissions for external executables, to keeping "colder" backups of business-critical data, to monitoring and responding to software that looks like it's traversing the whole filesystem, could reduce the harm ransomware causes.
You can't really protect against this sort of thing. A lot of our IT security runs on trust. The only way to really prevent this is to make sure that ransom attacks don't pay out.
EDIT: I should mention that I've managed IT services for a major private university earlier in my career, and I am now a software security consultant. When I say it is not possible, I mean that pragmatically. A FAANG company can control their IT well enough to make sure this doesn't happen to them, but a hospital or university relies on computer systems running software way outside of their control. That MRI machine? Its controller is probably running some ancient version of Windows Server 2003 with proprietary drivers. That university registration app? Custom coded by generations of CS student interns running on a shared system whose operating constraints are set by the Novell GroupWise instance that is co-hosted on it.
As a practical matter, one of these organizations simply cannot reduce their risk to zero or near zero. There's too many attack vectors they don't have control over. The IT departments can't mandate proper security because they don't have the budget to enforce.
You can't fully protect, sure, but you can have a person or team alerted on suspicious behaviour. You could also try to configure your infrastructure so that any code imported via vectors that ransomware usually uses is compartmentalized in a VM, container, or other chroot-like env.
And honestly, having even week-old cold backups makes this kind of attack _considerably_ less scary and cheaper, and it enables you to skip the payout (and I'm on the same page as you on that — if there's no money to be made, ransomware attacks will drop off).
Proper data hygiene isn't brain surgery. There is zero excuse for this event. I don't blame the criminals. I blame the university system. Shame!