Think ransoms are only paid out to rescue victims of kidnappings? Think again.
Imagine walking into your office one morning and finding some (or all) of your district’s computer files “padlocked” and inaccessible. In the corner, a masked man is standing with his hand out, demanding an $8,000-$10,000 ransom payment. When he gets the money, he’ll hand over the key to the padlock. If you choose not to pay, then you’ll spend the next few months trying to pick the lock while teachers, students, and administrators are forced to work without their modern technology.
This is essentially what happened to Horry County Schools (HCS) of Conway, S.C., earlier this year. Using a type of malicious software designed to block access to a computer system until a sum of money is paid (aka, “ransomware”), on February 8 hackers used high-level encryption to lock up the district’s data. The criminals then held that data for ransom and demanded the district pay nearly $10,000 via Bitcoin for the encryption key.
Charles Hucks, executive director of technology, says the district had experienced a few breaches during the months leading up to the attack, but nothing of this magnitude. “A few devices of teachers were hit and some of their local files were encrypted,” says Hucks. “In some cases network-based files on individual directories were also encrypted, but the impact of those attacks was very limited. They were isolated incidents.”
Attacks are on the rise
Ransomware attacks are on the rise. According to a recent PhishMe analysis of phishing email campaigns (i.e., a deceptive attempt to pose as a reputable entity via email), during the first three months of 2016 there were 6.3 million more phishing attacks than there were during the same period last year. This represents a 789% increase that’s primarily due to an upsurgence in ransomware.
“Thus far in 2016, we have recorded an unprecedented rise in encryption ransomware attacks, and we see no signs of this trend abating,” explained Rohyt Belani, CEO and co-founder of PhishMe, in Infosecurity Magazine’s Ransomware Sends Phishing Volumes up Almost 800%. “Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favored cyber-criminal enterprises.”
On February 8, a day that will forever be known as “Day Zero,” these statistics came to life at Horry County Schools. Entering the district’s network through an older server still used by the construction/facility department—but that was no longer being maintained or supported by its developer—the criminals installed the ransomware and sat back as it wreaked havoc on student, teacher, and administrative files.
“It was much worse than anything we’d seen before,” says Hucks, whose team was forced to shut down more than 100 servers and systems in order to keep the virus from spreading. As a result, the 42,000-student district was thrown into the dark ages and forced to work without the laptops, tablets, and other devices that it was accustomed to using.
Next page: Solving the problem
“Every student in grades 5-12 has a device that’s issued to that individual for use all day, every day,” says Hucks, “and all teachers have laptops, iPads, and/or a Windows tablets for use in instruction. When we shut everything down—including our Wi-Fi and Internet access—it pretty much turned those devices into standalone pieces of equipment.”
Coming to a standstill
With all of its systems shut down, Hucks says HCS tried to pinpoint the culprit and keep it from spreading any further. By “Day One,” he says most of the district’s authentication servers and Internet access was restored across all 53 schools. “Teachers and students could at least log into the network and get online at that point,” says Hucks. With much of their instructional-based content stored in the cloud, teachers and students were able to log in, connect to the network, and use their devices for content creation, collaboration, and the consumption of digital content.
Hucks says restoring the data that teachers and students had stored on the network took more time. Word documents, PowerPoint files, Photoshop files, and other important content was stored on file servers at each of HCS’ schools and then backed up centrally. “It took a significant amount of time to restore everything from the central backup and out to all of our schools,” says Hucks. The district’s student information system (SIS) and its finance/accounting/HR system both took a few days to restore.
But that’s not the end of the story. There was still a matter of paying the ransom for the key to the rest of the encrypted data. “We had our wireless network and our authentication back up within a day, but the distributed systems that have high amounts of data—primarily our file servers and the security camera servers that are present at each school—were also hit and encrypted,” says Hucks. “For those servers, we knew that paying the ransom would get those files back and available to our end users much more quickly than restoring them from backup.”
The district decided to pay the ransom after weighing out the amount of time it would take to restore access to the files on its own, and the amount of time users would have to wait to gain access to their files. “We’re a large district with an $800 million budget, so paying $8,000 or so to get teachers’ and students’ data back in their hands quickly was a business decision,” says Hucks. “When you consider that you only have students in class 180 days out of the year, paying that sum to get everything back online quickly seems like the right thing to do.”
Jonathan Levine, CTO at Intermedia in Mountain View, Calif., says that most ransomware attacks use either email or websites to infect their “hosts.” Someone may unknowingly visit a compromised website and download the malicious code through JavaScript, for example, or double click an email with an infected attachment. And because the damage can be inflicted remotely—and the money transfer handled using mechanisms like Bitcoin—locating and prosecuting the criminals is nearly impossible.
“It’s a perfect strategy for international criminals,” says Levine, who adds that K-12 institutions could be vulnerable to ransomware because many use older equipment and operating systems. “If you’re still using Windows XP or OS Leopard—neither of which are updated by their developers—you’re probably missing out on a lot of security patches,” says Levine. “This can make your systems more susceptible to ransomware.”
‘You may miss one’
With the HCS’ ransomware attack squarely in his rear-view mirror, Hucks says his district has begun looking more carefully at areas that hackers could potentially breach. Systems like the one used by HCP’s facilities department—which only contained historical data but wasn’t being maintained or supported by its vendor—have since been reserved for internal Internet use only (versus public access). “We kept up the server,” he explains, “but had we made that server internal-only earlier, it would have prevented this attack.”
To other K-12 technology professionals worried about potential ransomware attacks, Hucks says the best defense is to be aware of both internal and external threats and ensure that any network device or server that’s accessible from the public could be a potential breach point.
“The security experts tell us to patch our systems and do our backups, and that’s good advice,” says Hucks, “but when you’re in an organization of 43,000 students, 3,800 faculty and staff, and a network that spans more than 50 locations and over 50,000 end points, you may miss one.”
- TC- What student choice and agency actually looks like - November 15, 2016
- What student choice and agency actually looks like - November 14, 2016
- App of the Week: Science sensor meets your smartphone - November 14, 2016