5 Practical Strategies for Protecting Against K-12 Ransomware Attacks
In this article
For those unfamiliar, ransomware is exactly what the name implies: a form of cryptovirus malware that enables an attacker to encrypt the target's files, databases and other network assets, demanding an untraceable ransom payment in return for the decryption key.
Perhaps the most notorious recent example is the Colonial Pipeline shutdown that impacted 45 percent of the East Coast's fuel supply. The pipeline was taken offline after a hacker penetrated the company's servers, disrupting access to its own network assets, and stole copies of the company's privileged data. The shutdown sparked widespread fears of a regional gas shortage, resulting in panicked gas hoarding by consumers. It was the largest known ransomware attack on American energy infrastructure to date.
In another ransomware incident two years earlier, the city of Baltimore suffered a crippling attack on most of its IT systems, including its ability to generate revenue. The city refused to pay a ransom demand of 13 bitcoin (then equal to nearly $77,000), but remediation costs exceeded $7 million and lost revenue totaled more than $10 million.
As criminals are drawn to the lure of easy money, ransomware attacks are proliferating — especially choosing soft targets with limited resources to address the threat. K-12 education systems, unfortunately, too often fall into that category. In fact, a recent report stated nearly 60 percent of ransomware attacks hitting state, local, tribal and education organizations are targeted at K-12 education systems during the back-to-school months of August and September. In response, the IT security industry is rolling out numerous and diverse anti-ransomware technologies and strategies to help organizations minimize their vulnerability. But the many options available can at times be vague, confusing and even contradictory. What's an education IT manager to do?
It's important to note that K-12 organizations almost never attract the super-sophisticated levels of attack usually reserved for stealing national secrets; rather, these are usually the work of garden-variety hackers looking for a quick buck by disrupting operations so that teachers can't teach, students can't learn and administrators can't operate. The pandemic exacerbated the ransomware threat as schools resorted to videoconferencing solutions to keep virtual classrooms in operation — thus increasing their dependence on reliable IT performance.
But the threat to K-12 extends beyond classroom learning disruption: ransomware attackers are also in search of personal identification records to sell — privileged files on teachers, staff and especially young students, whose credit history is more likely to be a blank slate that identity thieves can exploit. The result: years later those young people may enter adulthood with a tarnished financial history when they try to establish their own credit.
Complicating matters is the failure by some K-12 organizations to fully appreciate the ransomware threat — or they prioritize other security challenges while failing to address even the most egregious ransomware exposure, such as weak passwords, failure to perform adequate patching and backups and phishing scams and other ruses to gain privileged access. These lapses enable hackers to gain a foothold in the system, moving laterally and escalating privileges as they go, with no way to undo their damage.
We'd like to recommend some policies and actions that should be your first priorities for a practical approach to ransomware preparedness — especially in K-12 education.
Your most effective anti-ransomware defense begins with addressing the most commonly exploited (and hence most critical) vulnerabilities first. Here are five top priorities to help you minimize your K-12 organization's exposure to ransomware attacks, educate users about best practices and ultimately save your organization millions of dollars in potential ransom payments and damage mitigation.
- Make cyber-hygiene everyone's top priority: Virtually all ransomware attempts can be thwarted by simple actions, such as:
- Follow prompt, effective patch management policies.
- Run regular scans to detect and eliminate open ports to the Internet.
- Make it impossible for users to select easy-to-anticipate passwords like "password" instead of complex combinations of random numbers, letters and symbols.
Ultimately, though, good cyber-hygiene comes down to the buy-in of each individual from the top down, promoting a culture that takes the potential threat seriously — and acts on it.
- Require multi-factor authentication (MFA): Whether in the form of a one-time PIN sent to email or instant message, or proximity to a recognized device such as a smart phone, MFA offers an extra level of user verification. Take the case of a global technology platform that was assailed daily by multiple cyber attacks, a number of them ransomware in design; since instituting an MFA requirement, none of those kinds of attacks has been successful.
- Create and test frequent backups: In addition to backing up data, it's also important to back up structures such as Active Directory, and then test those backups on a regular interval to make sure they work reliably before you need them.
- Have a solid plan in place before an incident: Train and drill staff on specific areas of responsibility and procedures for different "what if?" scenarios:
- How to proceed in mitigating or up-leveling an incident.
- What not to do.
- Whom to contact, and in what order.
You might even consider running "chaos engineering" exercises, randomly shutting down servers or data centers to test the response; if your detection systems fail to register a problem, then your preparations have failed.
- Establish and nurture critical relationships: It's good to have allies outside of your organization you can reach out to in the event of an attack, colleagues who can offer their material support and guidance.
Implementing the prudent protections listed above will go a long way toward helping you reduce your profile as a soft target for ransomware attackers — but they can be made even more powerful by introducing some of the latest security technology advancements that can be leveraged in hardware and software. But, it's important to have the right guidance to understand what they are, how they work and how to activate them most effectively.
WWT is collaborating with longtime technology partner Intel to develop and deploy a new generation of security solutions built deep into hardware to minimize attack surfaces and strengthen K-12 endpoint devices and data centers alike, leveraging the latest security technologies. A few of these include:
- Intel® Software Guard Extensions (Intel® SGX) offers hardware-based memory encryption that isolates specific application code and data, with hardened security and verification capabilities that reduce the potential attack surface.
- Intel® Trusted Execution Technology (Intel® TXT) is a scalable architecture that that provides hardware-based security technologies designed to harden platforms from the emerging threats of hypervisor attacks, BIOS, other firmware attacks, malicious root kit installations or other software-based attacks.
- Intel® BIOS Guard hardens flash storage to help prevent unauthorized BIOS changes and code execution.
- Intel® Boot Guard establishes hardware-based roots of trust to measure and verify boot integrity.
As important as these technologies are to a robust anti-ransomware defense, equally essential is to acquire the IT security expertise to understand how to deploy them effectively.
Toward that end, WWT can demonstrate these complementary security technologies in action in our Advanced Technology Center (ATC), a one-of-a-kind research and development ecosystem dubbed "Silicon Valley in St. Louis." Education-focused IT professionals are invited to visit the ATC and see these WWT/Intel solutions in action.
For the modern K-12 educational organization, encountering ransomware is not a matter of "if" but "when." And, the impact of a successful attack can range from disruptive to devastating. The potential exposure is especially critical for K-12 systems that discount the threat or may be distracted by other IT concerns.
A great majority of ransomware attempts could be thwarted by following the practical, prioritized strategies outlined here — cyber-hygiene, multifactor authentication, regular system backups, having a recovery plan in place — and by leveraging today's technology tools for hardened security to detect, resist and recover from ransomware attempts.
Contact us to explore these anti-ransomware solutions in the ATC, schedule a workshop or request a POC.