Fortunately, the IT team backed up its data, so the district didn’t have to pay a ransom to regain access. But it took months to fully recover.
Since then, the district has used the incident as an opportunity to beef up its cybersecurity posture and ensure that it’s better prepared for future attacks.
Ransomware and other cyberattacks have crippled an increasing number of school districts in recent years. To guard against malware infections, hacks and data breaches, districts must educate users on computer safety, install software patches regularly and deploy a multilayered security approach that includes better endpoint security and other advanced security tools, IT leaders and analysts say.
Districts must also develop a comprehensive response plan, such as quarantining affected devices and restoring from backup if they are hit by ransomware or other destructive malware, says Mike Rothman, president of Securosis, a Phoenix-based information security research and advisory firm.
“It’s a no-win situation,” Rothman says. “Students bring their own devices and click on things. Teachers do as well. Certainly, try to prevent an attack, but detecting it quickly and being able to remediate effectively is more important.”
Investing in Tools to Mitigate Future Attacks
Immediately after the ransomware attack, the 42 schools in the Rockford district had to make do without email and internet. Bus drivers had to rely on paper copies of their routes, and teachers recorded student attendance on paper.
Within days, the district restored its critical business applications and student information system with the help of a vendor who temporarily hosted the applications in the cloud, Barthel says.
After more than two weeks, the Rockford IT team restored the district’s internet access, enabling students to use Chromebooks and tablets. The ransomware variant that infected the district only affected certain operating systems.
Over two months, the 46-person IT team worked around the clock, wiping and rebuilding affected servers and computers, restoring data from backups, and tightening preventive and detective controls. Prior to the infection, the team had improved the data backup and recovery process with Veeam backup software and Nimble Storage hardware.
“We had snapshots of our databases, which were taken within 60 minutes of the attack. So, we were fortunate,” Barthel says.
A third-party forensics investigator found the ransomware’s point of entry was a phishing email containing a malicious link — a sign the district needs more employee training on computer safety.