Ransomware hackers continue to threaten and target K–12 schools, and they’re not likely to quit anytime soon. Ransomware works in several ways, but all of them prevent access or use of computing resources until a ransom is paid.
For example, crypto-based ransomware encrypts data so no one can access it, and locker-based ransomware locks a computer so no one can use it. Even worse, another form of ransomware, known as wiperware, makes each computer unusable even if the user or school pays up.
Although it’s tempting to rely on automated technologies, such as patch management and anti-virus software, to stop ransomware, most attacks rely on both social engineering and user interaction. That means simply leaning on patch deployment during the next major ransomware attack will likely not be enough to avoid losses.
To better protect their systems for the future, school IT leaders can take these additional steps.
Endpoint Protection Tools Can Stop Ransomware Before It Begins
Ransomware targets endpoints, so IT leaders should protect endpoints through myriad security controls. For example, an endpoint protection suite bundles advanced anti-malware, anti-spam, anti-phishing and firewalling capabilities for desktops and laptops. These packages also frequently use reputation services or threat intelligence feeds to determine the likely intent of a file. In short: Is this ransomware?
Unified threat management solutions offer similar anti-ransomware features as endpoint protection suites, but instead provide safeguards for servers. Together, endpoint protection suites and UTM solutions can stop many ransomware threats, including those spread by email, websites or instant messaging.
These tools deny ransomware the opportunity to infect the endpoint in the first place. For stronger protection, school districts may want to deploy a series of anti-malware, anti-spam and anti-phishing controls in conjunction with their email servers. This approach prevents attackers from reconfiguring or even disabling endpoint-based security controls.
Manage Vulnerability with Regular System Updates
The next layer of defense in preventing ransomware infection is vulnerability management, which requires IT leaders to focus on patch management and configuration management.
Patch management includes updating an endpoint’s operating system and applications, especially email clients and web browsers, to eliminate many of the vulnerabilities that ransomware might try to infect. This protection strategy has been instrumental in stopping many ransomware attacks, and it will undoubtedly continue to be critical in the future. School district officials should ensure their patch management practices go beyond operating systems and cover the very applications that ransomware may target.
IT leaders will also want to double-down on configuration management. Some ransomware takes advantage of weak security configuration settings. For example, if an operating system allows silent installation of new software and a user has logged on with full administrative privileges, ransomware could infect an endpoint without giving that person any opportunity to stop it. School districts should create security configuration checklists for their endpoint operating systems and major applications. To prevent ransomware infection, these checklists should center on fundamental security principles, such as providing users the least amount of privilege necessary.
Use Application Whitelisting if All Else Fails
If other security controls don’t stop the ransomware, the last layer of defense is application whitelisting. With this technique, an operating system allows an executable to run only if the school district has specifically approved its use. Depending on the whitelisting technology, a school district may grant executables permission to run based on methods such as file hash or software vendor identity.
In some cases, the software authorizes new executables to run only if they were acquired by the OS’s built-in update feature. Even if a user is tricked into downloading and installing ransomware, whitelisting technology prevents the user from running it, regardless of his or her privilege.
However, to be truly effective, whitelisting must be kept up to date. Any errors in configuration could inadvertently prevent legitimate software from running or mistakenly allow ransomware or other malware to spread. School districts should carefully evaluate whitelisting solutions and, whenever feasible, run them first in monitor-only mode to confirm proper operation before enforcing whitelisting policies.