The FBI has released a public service announcement that K-12 schools should expect a surge of cyberattacks, particularly ransomware infections, during the ongoing uptick in remote-learning as a result of the coronavirus pandemic.
Schools, colleges, and universities have all experienced an increased reliance on technology, they have opened up their infrastructure to enable remote learning connections, yet their resources dedicated to network defense haven’t grown accordingly. With their attack surfaces wider than ever before, schools have come to represent prized ransomware victims.
Schools are tempting targets for hackers for two important reasons; they hold troves of sensitive student data. and have minimal defense mechanisms - effectively making them the “low hanging fruit” of cyber-attack targets.
According to the report, the number of attacks targeting K12 schools in 2019 was 1,233, with another 422 schools being attacked just within the first quarter of 2020. This represents a huge increase from previous years. Some of these schools lost total access to their computer networks, files, and communication systems as a result.
The Bureau also raised awareness on the increased proliferation of ransomware gangs that steal data from infected networks and then threaten to publish that sensitive data if the school refuses to pay the ransom. This added risk “may create an elevated urgency for schools to pay ransoms” and thereby perpetuate the practice. For this reason, the FBI advised schools to pay particular attention to attacks involving Ryuk ransomware which exploits RDP endpoints to gain an initial point of entry.
Unlike what most people think, when ransomware hits, decrypting the ransomware with a special key won’t necessarily help you return to a clean state or be enough to stop the impact of having been attacked - because the machine is still infected. This means that any new files, files restored from a backup, or decrypted files are still vulnerable to the ransomware logic that is still lying dormant within the system. Paying the ransom doesn’t put you out of harm’s way, there is still every risk of getting encrypted again.
The ransomware persistence methods, for example, those used by Ryuk, entail that stopping the process of the ransomware won’t be enough since after a period of time or even after a reboot, the ransomware will still be active.
According to Guy Propper, Threat Intelligence Team Leader at Deep Instinct, it’s critical for schools to realize the threat, but that there are also solutions available to help defend against it, “your school doesn’t have to become another statistic, forced to close its doors on students.”
“Probably the most effective and reliable way to get rid of ransomware is to reimage or format the machine, but that’s of course very expensive, especially when there is a lot of data that is likely to be lost” advises Propper. This approach necessitates that a school network’s typically short-staffed IT team needs to know and be familiar with all the places or methods that malware (not just ransomware) gains its persistence. For example, recovering or reverting to a previous mode before the registry key was changed.
Therefore, the most effective way to handle ransomware attacks is to prevent them from happening, an approach that has been pursued and successfully deployed by Deep Instinct. Deep Instinct offers powerful solutions, based on the advanced A.I technology of deep learning to enable resilient prevention against even the most advanced malware and ransomware threats.
To trial the efficacy of Deep Instinct’s preventative approach, school networks can schedule a free threat analysis that is currently available at Deep Instinct. This analysis is designed to provide endpoint security teams with sufficient insight on how school networks can be kept secure, even as more educational activities go virtual.
