Hackers used to focus their ransomware attacks primarily on taking money from corporations’ deep pockets, but they’ve recently been targeting schools and municipalities.
“Why is that so? Well, you possess an enormous amount of personal data – birthdates, social security numbers, direct deposit, banking information, credit card information – all of that you have about not only your employees, but your students and their parents,” said Rob Haws, a partner at Gust Rosenfeld PLC law firm, who specializes in education law and labor and employment.
Schools keep that data for a long time, their IT equipment and operators are not always state of the art and they “have budgetary constraints that impose some limits on correcting either of those concerns,” and that’s “why schools are becoming more and more of a target in this area,” Haws said during a breakout session at the Arizona School Boards Association Law Conference in Phoenix on Thursday, Sept. 5, 2019.
Video shot by Brooke Razo/AZEdNews and edited by Angelica Miranda/AZEdNews: What schools should do if they’re the victim of a cyberattack
How do hackers access this information? Schools “have multiple
access points that you need to be mindful of as we move to more and more online
activity, whether it’s registering for classes or grading or payments,” Haws
said. “All those online options create a convenience for sure, but also create
risks of bad people being able to access this stuff.”
But school districts and their IT departments can build awareness among staff and increase their understanding of what to keep an eye on and what to look out for, said Brad Sandt, founder and president of K12itc, a company that focuses on managing technology for schools.
“We have people trying to attack us every day,” Sandt said at the law conference. “As we continue to put in additional layers of security, it’s going to impact users, but each additional layer – each key piece of security – will add that much additional defense and protection in reducing risk.”
How ransomware affected Flagstaff Unified School
About two weeks after Flagstaff Unified School District notified parents, staff and students that they were affected by the Pearson data breach, the district cancelled classes for two days to examine every school, staff and student device in response to “a ransomware event,” said Zachery Fountain, communications director for the district that serves more than 9,800 students it serves in Coconino County.
Ransomware is a form of malware that requests payment in
currency or bitcoin before hackers might possibly consider restoring partial or
full access to affected computers, devices or networks and the encrypted data
or information on them.
“We received information from a school district that one or more of its employees was targeted through their district email account,” said an Arizona Auditor General’s Office bulletin sent out Sept. 12, 2019.
“The specific malware or ransomware that was used in the Flagstaff situation is called RYUK. It’s similar to many others that are used,” said Haws, who noted that The Arizona School Risk Retention Trust, Inc. uses himself and Gust Rosenfeld when something like this occurs.
Once a ransomware email is opened and the links inside it are clicked on, “it lays dormant for a little while, while the bad guys are doing what bad guys do. And then after a little while, the bomb goes off, and all of your data then becomes encrypted,” Haws said.
“You then lose access to all your email, to all your
documents, to all your Excel, PowerPoint and Word documents – things like that –
unless you pay a ransom in bitcoin to the bad guys with the hope that they will
then unencrypt the data. That is essentially the situation that is happening
here,” Haws said.
Flagstaff Unified’s Technology Director Mary Knight said the district did not pay a ransom and would not consider doing that, in an Associated Press and ABC 15 Arizona story.
The Trust will not pay a ransom, “that’s not part of your
coverage,” Haws said.
“A breach insinuates that somebody went in and took
information off of your servers or your computer. That did not happen. We
responded way too quickly for that to happen,” Fountain said in an interview
After the district discovered the attack on Wednesday, Sept.
4, 2019, they cut off access to the internet, investigated the incident and the
possible damage, cancelled classes Thursday and Friday scanned all staff,
district and student devices and installed new malware protection.
“We had staff from across the district that we mobilized, and
we touched every single Windows laptop and desktop computer in the course of 72
hours,” Fountain said.
Students and teachers returned to school on Monday, Sept. 9,
“The big thing I would say is that it’s the preparation on the
front end that is important to survive these types of events,” Fountain said.
“We’re very fortunate that our IT team took a proactive
approach. They had a plan in place. They had procedures, and they were really
able to secure things,” Fountain said.
What to do during a cyberattack
Cyberattacks of schools are becoming more common and more frequent, said Sandt, who served as an IT director in a school district for about 14 years before founding K12itc.
“It’s not a matter of if, it’s a matter of when. The key is
being prepared and knowing what to do,” said Sandt, whose company often work
with schools when it comes to these types of threats.
If schools think they’ve been a victim of a cyberattack, they
should unplug the affected system, take it offline, and power it down to
minimize the spread and the damage, Sandt said.
Since the mid1980s the number of cyberattacks, the number of
viruses and their complexity has risen exponentially, but the spending by most
organizations, including schools, on resources to implement strong security has not kept up,
School districts need a layered approach that identifies and protects
data and sensitive systems, puts procedures and policies in place that enhance
security and take steps to restrict people’s access to just what they need to
do their jobs, and a process to examine if the IT system has been attacked or
breached, Sandt said.
School districts also need to make sure that anti-virus,
anti-malware and system patches are updated regularly, Sandt said. Schools will often ask to shut down updates or patches on
carts of Windows student machines, saying it impacts the educational process,
but “you have to patch those systems, because those vendors are doing the hard
work to make sure that they protect you from these incidents,” Sandt said.
School districts also should consider self- and third-party
risk assessment, put potential solutions in place, and test those solutions
“It’s not like you do this once, and all of a sudden you’re
fixed. This is something that has to be a common, recurring process to be able
to defend against changing threats,” Sandt said.
School districts need a cyberattack response plan that includes – “Who’s involved? Do they know the process? And are they ready to act when something happens? Because time matters, particularly when we’re talking about isolating an attack or the impact of such an event,” Sandt said.
Educating teachers, other district staff, and students about using
strong unique passwords, not clicking on links in emails from unfamiliar
senders and other threats is critical as well, Sandt said.
“If I can get you to download an email attachment with a zip
file, get you to open it and you launch
it, what you’ve just done is create a back door into your network right through
your firewall and your firewall doesn’t do anything,” Sandt said.
Recovering from ransomware or malware takes time, Sandt said.
“If it’s a malware breach, for an example like Cryptolocker,
you have to restore your servers,” Sandt said. “You may have backup for your servers,
but most users if they’re storing something on their desktop, those files
aren’t backed up. If that device is encrypted that now means that you may have
to touch 1,000 or more devices to get them back up and online.”
“While your servers with good backup procedures might be able
to be up and back online within 12 to 24 hours, you may have another two weeks
of getting every system back online,” Sandt said.
That’s why backups are
critically important, Sandt said.
“RYUK and attackers that are using that right now, their mission is to first get the malware deployed, get into your system then they hunt out your backup systems and try to disable them,” Sandt said. “Monitoring and managing your backup systems and testing to make sure that those are effective becomes critical.”
AZEdNews slideshow: Ransomware, malware and other breaches