​Preparing Schools for Ransomware—the Next Big Threat to Education

Data Privacy

​Preparing Schools for Ransomware—the Next Big Threat to Education

By Jonathan Levine     Jun 11, 2016

​Preparing Schools for Ransomware—the Next Big Threat to Education

Schools must brace themselves for an onslaught of new cyber attacks. Today’s most pervasive cyber threat is “crypto-ransomware”, a type of malware that encrypts and scrambles files (usually in the form of confidential data) to hold them for ransom. As a recent victim of ransomware, Horry County Schools, the third largest school district in South Carolina, was forced to shut down more than 100 servers to stop the malware from spreading.

The devastating impact of ransomware leaves schools in a predicament. Once infected, organizations face two hard choices: spend multiple days offline attempting to recover the files, or pay the ransom. In the case of Horry County Schools, the data on 25 servers was rendered inaccessible and the school district had no choice but to pay the hackers $8,500 for the encryption key.

While $8,500 may not be a significant amount to some organizations, it’s a hefty sum for educational institutions, where budgets are always a topic of discussion. With ransomware rapidly evolving, districts can only expect outbreaks to increase, both in frequency and cost of ransom.

Network architectures leave schools vulnerable

Schools are highly vulnerable to ransomware attacks. Because educational organizations typically share the same network architectures, they’re tied to the same network weaknesses that offer hackers economies of scale. Schools often place public computers (like library and classroom workstations) on the same networks as administrative computers, meaning that even an unsuspecting student could be the targeted victim.

Once infected, it’s easier for schools to experience the domino effect of ransomware, spreading from one computer to the next and ultimately locking down an entire district. More alarmingly, schools upgrade their systems less frequently than businesses and are less likely to keep their software up to date. Seeing as they are also less likely to have backups, hackers are well aware that these educational institutions will be more likely to cough up the ransom. But paying up is by no means the only option.

Solidifying defenses and fighting back

The FBI often advises paying ransoms in crypto-ransomware cases, but giving into the demands of a cyber-criminal is often neither quick nor painless. Acquiring the Bitcoin currency in which hackers want to be paid can be difficult, and even then, paying the ransom is no guarantee of getting files back. Even if successful, the victim still needs to wipe and restore each of the infected computers to remove all traces of the virus, which results in even more downtime. But if an institution hasn’t been backing up its computers, paying will be the only option.

With backups in place, restoring from those backups can be a viable alternative to paying ransoms. But the restoration process can still be very time-consuming. A cloud backup provider, Carbonite, reports a restore rate of 10 Mbps, which means a 50 GB file archive would take around 12 hours to recover per affected endpoint.

With the right file management system in place, it’s possible to minimize the effects of ransomware attack from a major disaster to a mild disruption. Look for services that provide two key capabilities: First, look for systems that back up files in real time, and that allow users to easily and instantly roll back their files to any date and time, so as to easily restore files to their pre-infected state. Second, users need to be able to access their files from the cloud via unaffected alternate devices, even while IT is wiping and restoring the infected computer. Accessing corrupted files through other devices on the same network will only spread the malware. Having a system with these two capabilities in place before an attack will facilitate business continuity during a crypto-ransomware outbreak, and allow schools to continue to run smoothly without paying the hacker a dime.

Putting ransomware in detention

Understanding what actions to take immediately in the event of a ransomware attack is vital to stopping the outbreak. If a computer is discovered to have ransomware, it must be immediately isolated from the rest of the network. Since ransomware can easily extend to an entire network, it’s not only one staff member brought to a standstill but possibly the entire administration.

In short, much of an organization enters into a holding pattern while IT rebuilds the computers and restores their files from backup (if available). Even if they can access their files through alternate devices, the files themselves are encrypted and therefore unusable. The restoration process isn’t quick – arecent survey of nearly 300 IT experts showed that 72 percent of crypto-ransomware victims lost access to their files for at least two days, with 32 percent losing file access for five days or more.

Ransomware isn’t going anywhere and ransomware hackers have a “spray and pray business model” – meaning that organizations of all sizes as well as individuals are susceptible. It’s no longer a matter of if you’re going to get attacked, but when, it’s imperative for school districts to start the conversation on ransomware. They can implement the necessary technologies and practices to properly mitigate irreparable losses before they happen.

Jonathan Levine (@JonMLevine) is the CTO of Intermedia.

Learn more about EdSurge operations, ethics and policies here. Learn more about EdSurge supporters here.

More from EdSurge

Get our email newsletterSign me up
Keep up to date with our email newsletterSign me up