Softening the impact of ransomware attacks
- By Stephanie Kanowitz
- Oct 05, 2020
Three days after virtual learning kicked off in Fairfax County, Va., the public school board announced that it had become the victim of a ransomware attack. The 10th largest school division in the country, with more than 188,000 students and about 25,000 employees, Fairfax County Public Schools (FCPS) began working with FBI to pinpoint what data was affected when the hacker group Maze, which claimed responsibility, struck.
FCPS was lucky: The attack didn’t affect distance learning. But other localities were not as lucky. An attack on the Newhall School District in California shut down distance learning for 6,000 elementary school students, and an attack on Hartford, Conn., delayed the start of school for 18,000 students. When officials in the school district that includes Las Vegas refused to pay to unlock their administrative systems after a ransomware attack, the Maze group posted personal information of employees and students including names, addresses, grades and Social Security numbers.
Ransomware attacks have long been a top cybersecurity concern for organizations in every sector, not just public education. In fact, a mid-year report by Bitdefender found a 715% year-on-year increase in the number of ransomware attacks globally, and last October, CNN reported that in the first 10 months of 2019, 140 local governments, police stations and hospitals experienced ransomware attacks.
“State and local governments get targeted frequently” because they have so many employees and, in some cases, their security systems may not be as up-to-date as other organizations,” said Jon Toor, chief marketing officer of Cloudian, a data storage company. “They could present a little bit softer target,” he said.
Slow-to-evolve processes and procedures are also to blame for state and local entities’ vulnerabilities, he said. One thing they need to consider is a more robust environment that includes backups of data stored someplace secure, even air-gapped. “That’s the first and foremost defense,” Toor said.
Migration to the cloud often provides a false sense of security for agencies. Although the cloud has security benefits, about half of attacks target data in the cloud, Toor said. “You really need to put defensive measures in place wherever your data is.”
The coronavirus pandemic has accelerated the number of ransomware attacks. Bitdefender’s report stated that there was a five-fold increase in the number of COVID-themed attempts reported in the first two weeks of March and that an average of 60% of emails received in May and June were fraudulent.
“The attack method and the technology being leveraged is still the same,” said James Carder, chief security officer and vice president of labs at LogRhythm, a security intelligence company. “It’s just the fact that they’re disguising it and putting the cover of the pandemic over it to get the users to click more.”
Additionally, as school districts and state and local governments worked to quickly implement learning and business systems that students, employees and the public could use from home, cybersecurity sometimes took a backseat to operations.
“Security controls often come in second to the operation of the business, and so we’re playing catch-up from that perspective,” Carder said.
He recommended six steps that organizations at all levels of government can take to harden their IT systems:
- Prepare -- Patch security gaps and run tabletop exercises that simulate ransomware attacks, Carder recommended. “You don’t want to experience it for the first time and have it be the first time you update your plan,” he said.
- Detect -- Use threat intelligence to block or alert IT staff to anomalies associated with ransomware.
- Contain – If infected, block and isolate the local host from the network to prevent further encryption.
- Constantly monitor -- Have a view of the entire range of networks and apps across the IT landscape.
- Eradicate -- Replace affected machines or remove the malicious email.
- Recover -- Restore from backup and conduct forensic investigations.
Funding is a big concern for school districts and state and local governments, many of which face considerable shortfalls as a result of pandemic-related shutdowns and rising unemployment. But they don’t have to spend lots of tax dollars to make a considerable difference in their security postures.
“If you go down the zero-trust path as a school district, that may incur some additional costs that may not be budgeted,” Carder said. Agencies have some lower cost options, though, including “tabletop exercises you could do yourself, backups you could control, training – that could be simply raising awareness through email,” he said.
One path to better security is as simple as keeping backups separate from the active network, Toor said.
“Everyone does backup as a normal part of their process, so if you’re upgrading your backup process, which happens periodically, make sure that you’ve incorporated object lock,” which prevents app and data version deletion, he said. “Many folks may have access to this and not even know it.”
Although the average ransomware attack at a large organization can cost upward of $1 million, protected backup copies can cut that amount in half, Toor added.
Stephanie Kanowitz is a freelance writer based in northern Virginia.