How Are School Districts Reacting to Ransomware Attacks?
It’s also troubling that ransoms demands and payments are increasing, because in many cases, ransomware attacks are no longer just about getting the data back, explains Fleming Shi, CTO for Barracuda Networks, where he leads the company’s threat research.
Shi says that a large percentage of ransomware attacks are an extortion related to the data, which goes beyond paying the ransom to get files back. When attackers also threaten to expose and release the data they have stolen, victims may be likely to pay the ransom.
“If they’re extortion attacks related to the data they hold, these are going to be pretty critical because they may involve private information,” Shi says. “Because of that, some victims may think it’s not enough to just get their files back. They have to think about potential fines and lawsuits if they lose that data — if it gets breached and released on the dark web. I think that mentality really initiated how the bad guys get people to pay.”
Charles Goldberg, vice president of data protection product marketing at Thales, adds that schools face a unique challenge for setting security policies. "They are typically very open environments, are cloud users and want easy and ubiquitous access for students and faculty," he says. "Additionally, most schools don't have large IT budgets or IT teams."
Preston says that some school districts just aren’t prepared; they haven’t elevated their concern for ransomware attacks and adjusted their cybersecurity approach accordingly. But why?
“I think it’s a bit of a ‘head in the sand’ approach. It’s like a person who is sick but doesn’t want to go to the doctor because they might say you have coronavirus,” Preston explains. “Another answer might be that they simply don’t have the budget to fix it, so why bother finding out it needs to be fixed?”
Best Practices for Responding to a Ransomware Attack
So, what should school districts do in the event of a ransomware attack? Consider these tips from experts:
Find the source. Preston says that school districts should not rely on the ransomware attacker to tell them what is infected. “You need to find out how to identify a system that’s infected, but whose payload hasn’t been activated,” he says. “Those are the systems you need to find and disinfect before resuming.” Consider vendors with threat hunting solutions, Shi adds, which can identify ransomware and contain it before encryption begins.
Shut down everything. IT teams should also shut down all their systems and disable their network so that the ransomware cannot propagate further. “Once an initial infection has happened, many ransomware products are designed to automatically spread across the network,” Preston says. “Shut down everything, then restart as necessary as you check each system for infection.”
Activate your disaster recovery playbook. School districts should also have a well-tested disaster recovery plan that will allow them to resume operations when a ransomware attack occurs. “Ransomware is no different than any other type of disaster, because that’s what it is; it takes out your data center, just like a flood, hurricane or fire,” Preston says. In addition, districts should consider adopting Disaster Recovery as a Service. Preston says that DRaaS is a cheaper option because schools won’t need to buy any disaster recovery infrastructure and spend money maintaining it. DRaaS makes it easy to resume operations too. “You simply press one button, and all of the servers you configured beforehand magically come alive in the cloud within 15 to 20 minutes,” he says.
Expand your communication channels. After a ransomware attack, school and IT leaders should regularly communicate with stakeholders about the damage and recovery process, explains Jason Barthel, executive director of technology at Rockford Public Schools in Illinois. When a ransomware attack hit Rockford last fall, Barthel worked with his district administrators and the communications department to keep the school community and media up to date online, through news releases and social media posts. Shi notes that, while he’s seen various kinds of communication methods, text messages catch people’s attention faster. Schools should also be proactive about providing information on good cyber hygiene, especially regarding threats such as phishing, password protection and using secure Wi-Fi, Goldberg says.
Get your people ready. It’s also important to make sure that the human element of cybersecurity and incident response plans is in place, says Matthew Gardiner, Mimecast’s cybersecurity strategist. Gardiner explains that end-user security awareness training should be part of the curriculum in K–12 schools. “I think our education system is the perfect place to have age-appropriate security awareness training, whether it’s part of the computer class or math class,” he says. Administration, faculty, IT and anyone else in a responsible position should be aware of the incident response plan and should know “who to call, when to call, how to initiate the plan and how to organize the incident,” he says. Goldberg adds that lessons learned from an attack should be carefully reviewed and documented together "so that past mistakes and gaps in security can be corrected."
Infrastructure Considerations for Managing Ransomware Attack Risk
It’s evident that school districts can no longer just rely on their anti-virus or traditional backup services, Shi says. As a long-term goal, he suggests looking into Managed Security Service Providers, or MSSPs, which provide outsourced cybersecurity monitoring and management of devices and systems.
“If schools don’t have the resources or the skill set to actually handle certain types of attacks or even day-to-day phishing and spear phishing attacks, it’s probably a good idea to get an experienced MSSP,” Shi says. “Ask for a security operations center, which will provide 24/7 monitoring of your infrastructure. With that kind of practice, you’ll have someone watching your overall infrastructure constantly.”
Gardiner adds that one of the beauties of outsourcing to providers such as cloud vendors is that they have their own contingency plans to keep their customers up and running.
“Obviously, you have to scrutinize and make sure they’re following best practices,” he says. “But at the end of the day, building and managing your own IT and security systems is a big task. You should be honest with yourself as to whether your organization is up to the task.”