Hard Lessons of Ransomware Attacks Inform Tech Strategies

Fortunately, the IT team backed up its data, so the district didn’t have to pay a ransom to regain access. But it took months to fully recover.

Since then, the district has used the incident as an opportunity to beef up its cybersecurity posture and ensure that it’s better prepared for future attacks.

Ransomware and other cyberattacks have crippled an increasing number of school districts in recent years. To guard against malware infections, hacks and data breaches, districts must educate users on computer safety, install software patches regularly and deploy a multilayered security approach that includes better endpoint security and other advanced security tools, IT leaders and analysts say.

Districts must also develop a comprehensive response plan, such as quarantining affected devices and restoring from backup if they are hit by ransomware or other destructive malware, says Mike Rothman, president of Securosis, a Phoenix-based information security research and advisory firm.

“It’s a no-win situation,” Rothman says. “Students bring their own devices and click on things. Teachers do as well. Certainly, try to prevent an attack, but detecting it quickly and being able to remediate effectively is more important.”

MORE ON EDTECH: Learn about the cybersecurity threats that keep K–12 CIOs up at night.

Investing in Tools to Mitigate Future Attacks

Immediately after the ransomware attack, the 42 schools in the Rockford district had to make do without email and internet. Bus drivers had to rely on paper copies of their routes, and teachers recorded student attendance on paper.

Within days, the district restored its critical business applications and student information system with the help of a vendor who temporarily hosted the applications in the cloud, Barthel says.

After more than two weeks, the Rockford IT team restored the district’s internet access, enabling students to use Chromebooks and tablets. The ransomware variant that infected the district only affected certain operating systems.

Over two months, the 46-person IT team worked around the clock, wiping and rebuilding affected servers and computers, restoring data from backups, and tightening preventive and detective controls. Prior to the infection, the team had improved the data backup and recovery process with Veeam backup software and Nimble Storage hardware.

“We had snapshots of our databases, which were taken within 60 minutes of the attack. So, we were fortunate,” Barthel says.

A third-party forensics investigator found the ransomware’s point of entry was a phishing email containing a malicious link — a sign the district needs more employee training on computer safety.

While getting IT operations back on track, Barthel and his team have deployed new security technology to protect Rockford from future threats.

The technology department implemented new security tools to gain better network visibility: SolarWinds’ Security Event Manager, a security information and event management tool that aggregates logs and identifies threats, and Microsoft Advanced Threat Analytics, which analyzes the network and alerts IT staff to suspicious activity.

The team also installed additional features to the district’s Sophos endpoint security software that goes beyond anti-virus signatures and analyzes behavior to block attacks, including ransomware. This year, Rockford district leaders plan to implement user security training and enforce multifactor authentication. They also plan to improve disaster recovery by creating an active-active data center configuration.

District leaders have supported the cybersecurity initiatives and have prioritized them, Barthel says.

“This was nothing we wanted to experience, but there’s a silver lining,” he says. “It’s helped us move forward very quickly with many technology initiatives laid out in our strategic plan.”

READ MORE: Find out why cybersecurity leadership should extend beyond IT.

A Ransomware Conundrum: To Pay or Not to Pay

The FBI advises against paying thieves after ransomware attacks because doing so encourages more attacks. But sometimes administrators feel they have no choice.

In May 2018, Roseburg Public Schools in Oregon suffered a ransomware attack that encrypted half a dozen of the district’s 30 servers. District staff could not access business applications and email, and the school websites were knocked offline, Technology Coordinator Gary McFarlane says.

The district could not restore from backups because some backup drives were encrypted. The cybercriminals had gained access through a Remote Desktop Protocol attack.

“There was an opening that shouldn’t have been there, and that allowed remote access into our system,” McFarlane says.

Roseburg’s insurance company hired a forensics security firm that recovered some, but not all, of the data. The security firm advised the insurance company to pay the ransom.

After receiving the decryption keys, the Roseburg IT staff recovered the data, wiped and rebuilt the affected servers and restored operations. McFarlane says no employee or student information was compromised, but the district learned its lesson and has improved its security.

McFarlane revamped the data backup process and moved some backup servers offsite to prevent the encryption of backup copies if there is another malware infection. He also replaced traditional anti-virus software with SentinelOne’s endpoint security software, which uses behavioral analysis to detect ransomware and other malware.

The cloud is another key part of Roseburg’s cybersecurity defense. The district’s student information system is hosted in the cloud, so the ransomware infection didn’t affect it. Since the cyberattack, McFarlane has adopted Microsoft Office 365 for email and moved the district’s financial software to the cloud.

“We are spreading the risk. It’s now become more of a distributed model,” he says.

The Reality of Cyberattacks: Not if, but When

Seminole County Public Schools in Sanford, Fla., has not been hit by ransomware or other major cyberattacks. Still, the district continues to layer on security and improve data backup to make it harder for cyberthieves to succeed, says Tom Condo, supervisor of information systems operations.

The district uses Microsoft System Center Configuration Manager (now called Endpoint Configuration Manager), a patch management tool, to keep security patches up to date and deploys Rubrik software to back up data to an on-premises appliance and then to the cloud.

SCPS, which uses SonicWall firewalls, recently implemented Microsoft Cloud App Security, a cloud access security broker that includes data-loss prevention features and a SIEM tool that analyzes the district’s on-premises and cloud environment and helps stop cyberthreats.

The information systems staffers say they feel ready to respond if the district ever suffers a ransomware attack or other cyberattack, Condo says. “We talk all the time that it’s not a matter of if, it’s a matter of when. We just hope to minimize the impact.”