Security

Hard Lessons of Ransomware Attacks Inform Tech Strategies

The work of mitigating cyberattacks informs districts’ strategies to thwart future incidents or minimize damage should any occur.

Wylie Wong

Twitter

Wylie Wong is a freelance journalist who specializes in business, technology and sports. He is a regular contributor to the CDW family of technology magazines.

In September, the staff members of Rockford Public Schools’ technology department faced their worst IT nightmare: A ransomware attack was spreading across the data center and encrypting servers.

The Illinois district’s IT infrastructure is designed to text IT staff when a server disconnects. On a Thursday night, Executive Director of Technology Jason Barthel and his team were bombarded by a barrage of texts. About 85 of 300 virtual servers shut down in rapid succession.

Barthel logged in to investigate but couldn’t restart the servers remotely, so he rushed to the data center to discover that the servers, some housing mission-critical applications, were encrypted. He disconnected internet access to contain the outbreak, which prevented further encryption, but many systems were already affected.

“We decided school would go on, but it was going back to basics: life without technology for several weeks,” Barthel says.

Fortunately, the IT team backed up its data, so the district didn’t have to pay a ransom to regain access. But it took months to fully recover.

Since then, the district has used the incident as an opportunity to beef up its cybersecurity posture and ensure that it’s better prepared for future attacks.

Ransomware and other cyberattacks have crippled an increasing number of school districts in recent years. To guard against malware infections, hacks and data breaches, districts must educate users on computer safety, install software patches regularly and deploy a multilayered security approach that includes better endpoint security and other advanced security tools, IT leaders and analysts say.

Districts must also develop a comprehensive response plan, such as quarantining affected devices and restoring from backup if they are hit by ransomware or other destructive malware, says Mike Rothman, president of Securosis, a Phoenix-based information security research and advisory firm.

“It’s a no-win situation,” Rothman says. “Students bring their own devices and click on things. Teachers do as well. Certainly, try to prevent an attack, but detecting it quickly and being able to remediate effectively is more important.”

MORE ON EDTECH: Learn about the cybersecurity threats that keep K–12 CIOs up at night.

Investing in Tools to Mitigate Future Attacks

Immediately after the ransomware attack, the 42 schools in the Rockford district had to make do without email and internet. Bus drivers had to rely on paper copies of their routes, and teachers recorded student attendance on paper.

Within days, the district restored its critical business applications and student information system with the help of a vendor who temporarily hosted the applications in the cloud, Barthel says.

After more than two weeks, the Rockford IT team restored the district’s internet access, enabling students to use Chromebooks and tablets. The ransomware variant that infected the district only affected certain operating systems.

Over two months, the 46-person IT team worked around the clock, wiping and rebuilding affected servers and computers, restoring data from backups, and tightening preventive and detective controls. Prior to the infection, the team had improved the data backup and recovery process with Veeam backup software and Nimble Storage hardware.

“We had snapshots of our databases, which were taken within 60 minutes of the attack. So, we were fortunate,” Barthel says.

A third-party forensics investigator found the ransomware’s point of entry was a phishing email containing a malicious link — a sign the district needs more employee training on computer safety.

It’s helped us move forward very quickly with many technology initiatives laid out in our strategic plan.”

Jason Barthel Executive Director of Technology, Rockford (Ill.) Public Schools

While getting IT operations back on track, Barthel and his team have deployed new security technology to protect Rockford from future threats.

The technology department implemented new security tools to gain better network visibility: SolarWinds’ Security Event Manager, a security information and event management tool that aggregates logs and identifies threats, and Microsoft Advanced Threat Analytics, which analyzes the network and alerts IT staff to suspicious activity.

The team also installed additional features to the district’s Sophos endpoint security software that goes beyond anti-virus signatures and analyzes behavior to block attacks, including ransomware. This year, Rockford district leaders plan to implement user security training and enforce multifactor authentication. They also plan to improve disaster recovery by creating an active-active data center configuration.

District leaders have supported the cybersecurity initiatives and have prioritized them, Barthel says.

“This was nothing we wanted to experience, but there’s a silver lining,” he says. “It’s helped us move forward very quickly with many technology initiatives laid out in our strategic plan.”

A Ransomware Conundrum: To Pay or Not to Pay

The FBI advises against paying thieves after ransomware attacks because doing so encourages more attacks. But sometimes administrators feel they have no choice.

In May 2018, Roseburg Public Schools in Oregon suffered a ransomware attack that encrypted half a dozen of the district’s 30 servers. District staff could not access business applications and email, and the school websites were knocked offline, Technology Coordinator Gary McFarlane says.

The district could not restore from backups because some backup drives were encrypted. The cybercriminals had gained access through a Remote Desktop Protocol attack.

“There was an opening that shouldn’t have been there, and that allowed remote access into our system,” McFarlane says.

Roseburg’s insurance company hired a forensics security firm that recovered some, but not all, of the data. The security firm advised the insurance company to pay the ransom.

After receiving the decryption keys, the Roseburg IT staff recovered the data, wiped and rebuilt the affected servers and restored operations. McFarlane says no employee or student information was compromised, but the district learned its lesson and has improved its security.

McFarlane revamped the data backup process and moved some backup servers offsite to prevent the encryption of backup copies if there is another malware infection. He also replaced traditional anti-virus software with SentinelOne’s endpoint security software, which uses behavioral analysis to detect ransomware and other malware.

The cloud is another key part of Roseburg’s cybersecurity defense. The district’s student information system is hosted in the cloud, so the ransomware infection didn’t affect it. Since the cyberattack, McFarlane has adopted Microsoft Office 365 for email and moved the district’s financial software to the cloud.

“We are spreading the risk. It’s now become more of a distributed model,” he says.

777 million

The number of cybersecurity-related incidents that have disrupted school operations or resulted in data breaches since 2016

Source: EdTech Strategies, LLC, "K-12 Cyber Incident Map," 2020

The Reality of Cyberattacks: Not if, but When

Seminole County Public Schools in Sanford, Fla., has not been hit by ransomware or other major cyberattacks. Still, the district continues to layer on security and improve data backup to make it harder for cyberthieves to succeed, says Tom Condo, supervisor of information systems operations.

The district uses Microsoft System Center Configuration Manager (now called Endpoint Configuration Manager), a patch management tool, to keep security patches up to date and deploys Rubrik software to back up data to an on-premises appliance and then to the cloud.

SCPS, which uses SonicWall firewalls, recently implemented Microsoft Cloud App Security, a cloud access security broker that includes data-loss prevention features and a SIEM tool that analyzes the district’s on-premises and cloud environment and helps stop cyberthreats.

The information systems staffers say they feel ready to respond if the district ever suffers a ransomware attack or other cyberattack, Condo says. “We talk all the time that it’s not a matter of if, it’s a matter of when. We just hope to minimize the impact.”

After a Cyberattack, Communication is Key

After a ransomware infection, it’s critical for K–12 IT leaders to regularly communicate with stakeholders about the damage and the recovery process, says Jason Barthel, executive director of technology at Rockford Public Schools in Illinois.

When Rockford schools suffered a ransomware attack last fall, Barthel met with the district superintendent, cabinet-level administrators and the public information officer every two hours for the first several days. At first, the frequent meetings were a necessary part of responding to the attack and establishing a communications strategy.

As the IT team assessed the damage and reported relevant findings, the meetings were a crucial part of prioritizing restarting applications and IT systems, Barthel says. Two weeks after the incident, as more systems were restarted, administrators reduced the meetings to about once a week for the next several months.

District administrators and the communications department updated administrators at each school site about when systems would be available. The superintendent communicated important information about the incident to Rockford’s school board, Barthel says.

The communications team also updated parents, the community and the media with news releases and social media posts, he says. It was important to reassure the broader community that employee and student data had not been breached and that the schools were safe and would continue operations.

For the first few days after the incident, the IP-based phone system was down at some schools, which sparked safety and communications concerns for parents. District administrators redirected those schools’ calls to cellphones that were distributed to the school leaders.

Photography by Bob Stefko