Business
Back to school security against ransomware attacks on K-12 and colleges
Published
1 year agoon
By
GFiuui45fgA ransomware attack on an educational institution causes more than just class disruption. It can result in lost teaching hours, financial strain, and compromised personal data. In the K-12 system, a closed school forces parents to request time off work and stretches limited school finances.
For college and university students, a ransomware attack may result in stolen personal data right as students start their professional lives.
Ransomware attacks have increased alarmingly, with reported K-12 incidents between 2018–2021 have risen from 400 in 2018 to an accumulated total of over 1,300, and we don’t need to look far to see how they’ve harmed the education sector.
A recent Truman State University ransomware attack caused several days of shutdowns and the engagement of external security teams. In Pennsylvania, the Penncrest school district found itself the target of a ransomware attack leading to multiple days of no internet access and disruption of school routines, impacting local families.
We’ll explore the steps IT teams at education institutes can take (and local government should support) in order to protect the people in their care from disruption and stolen data.
Stop ransomware through early detection
Once a ransomware attack has begun, it’s often too late to do anything about it. The sobering reality is that 100s of GB of data encrypt in under 5 minutes with Lockbit 2.0, and it’s only getting faster. Organizations are usually left with two bad options.
The first (and not recommended) option is to pay the ransom, then hope the cybercriminals decrypt your systems, don’t sell your data, and don’t return for another attack.
Alternatively, you will need to rebuild your IT systems from scratch, which can be expensive and time consuming considering the typically small IT departments many schools and universities have.
Putting security measures into place to prevent an attack in the first place is the best defense, and there are several attack vectors that IT can watch for early warnings. Many attackers take the path of least resistance, and monitoring the easiest routes makes a threat actor’s job that much harder.
Though not comprehensive, here are several areas to consider closely monitoring:
- Phishing emails – A popular delivery method for sending ransomware executables to unwitting users. Strong anti-phishing software and awareness training is a must.
- Remote connections – Remote Desktop Protocol (RDP), Teamviewer, VNC, etc.
- Persistent installations – Unexpected startup programs or scheduled task creations.
- Privilege escalation – LSASS exploitation, pass-the-hash attacks, or insecure services.
- Detection prevention – Disabling Microsoft Antivirus and other security tools.
- Network reconnaissance – Port Scans, Promiscuous Network Modes, etc.
- Data exfiltration – Unexpected outbound connection targets and bandwidth traffic spikes.
Breached passwords offer easy starting points for ransomware
Logging in is easier than hacking in. Attackers can quickly exploit compromised passwords, especially when people re-use them across multiple personal and work accounts. For instance, a threat actor can purchase lists of compromised credentials then use social media to narrow down who works in a school.
Institutions implementing multi-factor authentication make this attack more difficult, but not impossible.
Tools such as Specops Password Policy with Breached Password Protection (BPP) check an institution’s Active Directory against a constantly updated list of over 3 billion unique compromised passwords – even those being used in attacks right now. This allows IT teams to close off hundreds of possible attack routes into their institution.
Specops Password Policy with Breached Password Protection is popular with schools, universities, and local governments due to cost-effectiveness, quick implementation, and ease of end-user use.
It allows institutions to create custom password policies, enforce compliance requirements, block compromised passwords, and help users create stronger passwords in Active Directory with dynamic, informative client feedback. Few solutions offer such a simple way to bolster password security and prevent attackers from gaining a foothold and instigating a ransomware attack.
Minimize the attack surface of public-facing systems
Open remote connections are a vulnerability waiting for exploitation. The 2022 Unit 42 Incident Response Report notes that RDP is a common target. Requiring a VPN or Zero-Trust Authentication gateway is necessary for any school, university, or local government to connect to internal systems remotely.
Even school print servers are unsafe if unpatched and exposed to the internet. For example, a recent PaperCut NG and PaperCut MF vulnerability led to increased ransomware attacks from the Bl00dy Ransomware Gang.
Focusing protection on systems that do not expose additional entry beyond what’s necessary keeps threat actors at bay. Minimizing the number of external services to monitor makes the job of school IT departments manageable.
Deal with stale and overprivileged accounts
It’s not uncommon for overworked school IT departments to have old accounts, forgotten users, and overprivileged service accounts floating around. These forgotten accounts might seem harmless, but they’re a tempting target for threat actors.
Going unnoticed, a compromise of an old account might not trigger a response since the owner may be long gone. Implementing a proper user lifecycle policy from on-boarding to off-boarding keeps old accounts from potential compromise.
Similarly, overprivileged accounts are endemic to nearly every IT organization. Creating a single privileged account to run multiple services may mean less work and monitoring. But when compromised, an overprivileged service account offers many footholds into a school or university network.
By “right-sizing” accounts through the concept of least-privileged access and separation of duties, a compromised account is far less likely to cause devastation across the network.
Harden endpoints against ransomware attacks
Even the best prevention strategies may not stop a determined adversary from sneaking a phishing email with ransomware executable to an unsuspecting student or IT administrator. Once downloaded, an unprotected endpoint may provide all that is needed to spread the ransomware throughout the school’s network.
Below are several common steps to take when hardening a Windows endpoint:
- Prevent running suspicious executables through the use of Microsoft Applocker and allow-list applications.
- Implement SMBv3 and disable SMB v1 and v2 to prevent lateral network intrusions.
- Disable default usernames and passwords on all devices and endpoints.
- Implement LAPS (Local Administrator Password Solution) for older OSs such as Windows Server 2019 and Windows 10.
- Implement the Attack Surface Reduction (ASR) rule for LSASS and Windows Defender Credential Guard.
- Implement PowerShell logging and harden remote PowerShell connections.
- Require non-deferred Windows Updates along with consistent Antivirus updates.
- Block saving user passwords to local browsers such as Chrome and Firefox.
Preventing an endpoint from further compromise may quickly stop a ransomware attack. This prevention avoids the need to restore systems from backups.
Protect against catastrophe with up-to-date offline backups
If the worst has happened, and a ransomware attack has taken down a school’s network, up-to-date and offline-stored backups are crucial to getting the students back in the classroom.
By keeping backups offline, segmented, or “air-gapped,” a successful ransomware attack will not affect those backups allowing a clean restore.
Backing up an entire institution can be difficult and incur significant storage costs. However, not doing so could be even more costly, as threat actors may demand millions of dollars for restoration.
IT administrators must continuously test backups, verify recovery procedures are in place, and gauge the difficulty of a full restore to be ready in the event of an incident.
Can we keep schools and students secure?
The FBI (Federal Bureau of Investigation), CISA, and the MS-ISAC warned about Vice Society and the threat it poses to education sectors in a joint Cybersecurity Advisory (CSA):
“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.”
Ransomware is a growing and costly problem for schools and their students. Local governments can support schools and universities by funding the right security tools and techniques for ransomware detection, prevention, and mitigation.
Although there are no foolproof ways to prevent every ransomware attack, a comprehensive security plan incorporating the above steps will stop most attacks and go a long way towards prevention.