Poms Connects - A Knowledge Sharing Community

Blog

Ransomware Attacks in Schools

A new report published by cybersecurity firm Armor shows more than 500 schools have been hit with ransomware in the first nine months of 2019, including an attack on the New Mexico Gadsden school district.

These cyber incidents, often crippling to the affected agency or jurisdiction, have frequently left service delivery at a standstill and administrative systems facing long recovery periods. School districts in particular are attractive targets because of their relative vulnerability. Schools often suffer from limited IT staff, older equipment, and less than optimal cybersecurity expertise. Often school districts are also not in the practice of backing up their data.

What is ransomware?

Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. After the initial infection, ransomware will attempt to spread to connected systems, including shared storage drives and other accessible computers.

The ransom demanded varies, but frequently must be paid in virtual currency, like Bitcoin. If the ransom demands are not met the files or encrypted data will usually remain encrypted and unavailable to the victim.

Paying ransom doesn’t guarantee that the encrypted files will be released, it only guarantees that the malicious actors receive the victim’s money and often their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

How do you get infected with ransomware?

Ransomware is often spread through phishing emails that contain malicious attachments or through “drive-by downloading”. Phishing emails often appear as though they have been sent from a legitimate organization or someone known to the victim and entice the user to click on a malicious link or open a malicious attachment. Drive-by downloading typically occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Once the ransomware has completed file encryption, it creates and displays a file or files containing instructions on how the victim can pay the ransom. If the victim pays the ransom, the threat actor may provide a cryptographic key that the victim can use to unlock the files, making them accessible.

How do I protect my school against ransomware?

US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing. Install antivirus software, firewalls, and email filters—and keep them updated—to reduce malicious network traffic.
  • Restrict users’ ability (permissions) to install and run unwanted software applications and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
  • Use caution with links and when entering website addresses. Be careful when clicking directly on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact your organization's helpdesk, search the internet for the sender organization’s website or the topic mentioned in the email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website addresses often appear almost identical to legitimate sites, often using a slight variation in spelling or a different domain (e.g., .com instead of .net).
  • Open email attachments with caution. Be wary of opening email attachments, even from senders you think you know, particularly when attachments are compressed files or ZIP files.
  • Keep your personal information safe. Check a website’s security to ensure the information you submit is encrypted before you provide it.
  • Verify email senders. If you are unsure whether or not an email is legitimate, try to verify the email’s legitimacy by contacting the sender directly. Do not click on any links in the email. If possible, use a previous (legitimate) email to ensure the contact information you have for the sender is authentic before you contact them.
  • Inform yourself. Keep yourself informed about recent cybersecurity threats and up to date on ransomware techniques. You can find information about known phishing attacks on the Anti-Phishing Working Group website. You may also want to sign up for CISA product notifications, which will alert you when a new Alert, Analysis Report, Bulletin, Current Activity, or Tip has been published.
  • Train your organization. Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails.

How do I respond to a ransomware infection?

  • Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected whether wired or wireless. 
  • Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
  • Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

Finally, immediately report the ransomware attack to both the New Mexico Public Education Department as well as your district/charter insurance company. Every insurance policy is considered a contract creating obligations for both the insured and the insurer. One of an insured’s most important responsibilities is to report claims in a timely manner as provided by the policy at issue.