How to protect your district from ransomware attacks

As with almost every industry, COVID-19 has required educational institutions to embrace digital technology for remote learning and student, teacher, and internal administrative meetings and collaboration.

Web applications are adapting the learning experience, and streamlining the way educational institutions work. K-12, college, and university campuses are increasingly reliant upon these digital technologies.

While campus IT departments work hard to accommodate the diverse needs of users, IT complexity has created many challenges. Cybercrime is up, and no school or university is immune. The new “learn from anywhere” environment has dramatically increased the number of remote students, faculty, and administrators, who are on the frontlines of a growing cyberwar.

Ransomware attacks on education institutions are increasing

Ransomware attacks have increasingly targeted colleges and universities. Cybercriminals have been exploiting security vulnerabilities that have propagated, as attack vectors have expanded with users accessing software and files from remote data centers, clouds, and SaaS facilities.

Last March, the FBI’s Cyber Division sent out an advisory notice warning of cybercriminals using malicious software called PYSA ransomware targeting educational institutions, and successfully extorting money. PYSA is one of many ransomwares, like NetWalker, Clop, Ryuk, DoppelPaymer, and others used in attacks against K-12 schools and colleges.

In July of 2020, the University of California, San Francisco, paid $1.14 million to cybercriminals who encrypted and threatened to publish stolen sensitive information. UCSF, Michigan State University, and Columbia College Chicago were targeted with the same ransomware, as was the University of Utah, which paid $457,000 in ransom. 

Ransomware attacks on colleges doubled between 2019 and 2020, according to the BlueVoyant: State of Education 2021 Report. There were at least 26 ransomware attacks involving colleges and universities in 2020, and 58 attacks involving school districts, according to Emsisoft. Because school districts include multiple institutions, it’s estimated that 1,681 schools, colleges, and universities were affected. 

Despite many diverse security products that schools and universities deploy, cyberattacks continue unabated. Ransomware is a primary attack focus, comprising almost a third of all cybersecurity incidents. Unfortunately, educational institutions with security products can become overly confident, believing they have adequate protection. But that just isn’t the case. We’ve seen numerous schools and universities with multi-layered security protections become victims of cyberattacks.

Detection and prevention solutions, while necessary, simply won’t prevent every attack from breaching their defenses. There are too many gaps between solutions, too many people mistakenly clicking on malicious phishing links, too many weak password methods, and too many system vulnerabilities that are exploited.

Schools and universities think it’s never going to happen to them, until it does. However, cybersecurity incidents are so prevalent, every educational institution needs a comprehensive plan to recover their data and digital systems.

Speed of recovery is critical

After an attack, operations need to be up and running quickly. In addition to having detection and protection measures in place, recovery measures are necessary for rapid restoration. Most educational institutions can’t afford to be offline for days or weeks, so they pay the ransom. Victims feel it’s likely less costly than replacing and rebuilding systems from backup. However, a paid ransom means cybercriminals are encouraged to continue their malicious exploits.

Rendering ransomware impotent

Schools and universities victimized by a cyberattack can experience long-term business and financial consequences. In addition to a holistic strategy and multiple layers of security to protect against cyberattacks, rapid data and operating system recovery is needed.

Paying a ransom because data is held hostage is not a cybersecurity strategy. Data backup isn’t the answer for protecting against ransomware, either. Restoring data from backup takes a long time, and it’s not always reliable. Truth be told, hackers also target backup systems. Data and system recovery need to be proactively deployed to quickly re-establish operations. Security products and recovery solutions go hand-in-hand, so if a cybercriminal gets past the firewall, anti-malware, or endpoint security, all data and operating systems can be recovered within an hour or two, rather than days or even weeks.

Rather than copying data, next generation recovery solutions create a virtual overlay with stored deltas of the original data. Security breaches will only reach the overlay that protects the original data and operating systems, with data quickly restored with a single button click. This renders ransomware powerless, because the data is never lost, and can’t be held hostage.

What to do if you have a cyberbreach

If no next generation recovery solution was in place before a ransomware attack, there are important steps that must be taken immediately following the attack. First, disconnect all computers from the internet and power them down. After identifying the affected host’s mission-critical data, mount the storage devices of computers known to be clean systems, and back them up. It’s important to also backup a potentially corrupted system. This preserves important forensics for further breach investigation. It also allows an additional opportunity to recover data through different methods and tools.

It is recommended that the operating systems of the compromised machines be reinstalled from scratch or factory reimaged. This is important, because hackers are known to install backdoor or malware that are hard to detect and completely remove. Then you can begin the arduous task of restoring your data using a backup or recovery tool.

Lastly, after you finish recovering all the data and computers, it’s important to patch all vulnerabilities, harden security in your systems, and change user passwords on the affected computers. I must stress the importance of being proactive. It’s not a matter of if a cyberattack will happen, but when. A mature cybersecurity posture, with a rapid recovery solution, will ensure protection when hackers exploit security gaps and vulnerabilities.