Preparation can lessen damage from ransomware attacks
Virtual kidnappers wormed their way into the Arlington School District’s computers this summer and demanded a ransom to free them from attack.
Arlington broke free without paying, but not without investing in new computer systems and learning the importance of good backups.
“We had to have someone redesign everything, from the servers to the firewall,” said Arlington Superintendent Kevin Hunking.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has reported an increase in the malicious software known as ransomware, often attacking from outside the U.S., and offers guidance for agencies to protect themselves.
Smaller government agencies are often at greater risk because they have less technology support. As school districts face the likelihood of such attacks, they can take steps to protect their computers and lessen the impact if an attack happens, starting with keeping their systems up to date and backing up data.
The attack on Arlington’s computers came via an email in early July, locking up the district’s data and other online functions. No staff or student information was compromised, said Hunking.
Local police advised Arlington not to pay the ransom because there was no way to guarantee the attackers would release the encrypted servers. Arlington was able to recover data from backups, but it was a long and painful process.
Arlington took its website down until mid-August to rebuild its system from the ground up. While Arlington’s website was being restored, Spray, Condon and Mitchell school districts also lost some access because of their interconnected infrastructure.
Oregon law does not require districts to have websites, but it does require districts to post certain documents if they do. Arlington chose to keep its website down until it could do everything required in a secure fashion.
Hunking said the new system was designed to be more compartmentalized so that a virus can’t spread easily. The district’s old interconnected infrastructure, both internally and with other districts, made it vulnerable to attack, Hunking said.
Arlington has contracted with the Columbia Gorge Education Service District for more qualified IT support than Arlington’s small staff can provide.
“IT people are hard to come by, and as they get experience, they are easily taken away from the education field because we can’t afford the best salaries,” Hunking said.
The Roseburg School District dealt with a similar attack in May 2018.
The attacker infiltrated the district’s servers remotely, encrypting the districts’ files. When district staff explored why email and the website weren’t working, they found a file with ransom demands to release the data.
The district checked to see how many systems had been attacked and how much data could be recovered. Local law enforcement advised them to talk to the FBI.
The district paid the ransom at the advice of their insurance agency and a data recovery adviser, according to Roseburg IT coordinator Gary McFarlane. Generally, the FBI advises against paying, but the likely recovery effort cost and the potential loss of years of data made it worth the district paying the relatively small amount, McFarlane said.
Average ransom demands have been steadily rising from less than a thousand dollars a few years ago. Coveware, a data recovery company, estimated the average ransom payment in cases using its platform has nearly doubled during 2019 to $36,295.
Roseburg Chief Operations Officer Cheryl Northam said one of the most important lessons they learned was to call the insurer first to see whether the district has cybercrime coverage and what it covers.
Property and Casualty Coverage for Education, Oregon’s leading insurance pool for education, offers a wide range of response support. Insurance coverage pays for an analysis of the situation and may also cover technical support, recovery efforts and, sometimes, the ransom.
“PACE was very awesome helping us with legal issues and getting us in contact with super knowledgeable tech people to help us through the event,” Northam wrote in an email.
Sean Hoar, a partner in the national Lewis Brisbois law firm and chair of the data privacy and cybersecurity practice, advises PACE. He was named one of the “30 best and brightest data breach response lawyers” by Cybersecurity Docket, an industry news platform.
First and foremost, he said, school districts should not respond in any way to attackers. Often, online attackers only know they hooked an internet protocol address, a string of numbers, but they don’t know who or what they are dealing with. The less information hackers have, the easier they are to fight.
Hoar said it is nearly impossible for a district to completely protect itself. Infected spam emails seeking information in what are known as phishing attacks are common, but increasingly attackers are devising and sharing direct attacks to get past anti-virus programs and system firewalls.
Hoar said there are a variety of applications to increase online security, but those often come with a tradeoff of extra expense or reduced convenience and access.
Mike Hackbart, senior claims consultant for the Special Districts Association of Oregon, said districts should contact their insurance agent if there is a hint of a problem to learn what steps might be covered. SDAO, along with OSBA, administers PACE.
Emails to claims@sdao.com get a priority response, but Hackbart cautioned districts to be careful not to use a computer or account connected to the attack.
Hoar encourages school districts to engage the specialized expertise of a digital forensics firm to ensure they are making the right moves. A forensics firm can identify whether data can be restored from backups without contact and make sure any restored or new computer systems are clean of malware.
“It’s a layered approach, multiple steps, multiple moving parts,” Hoar said, “a you-don’t-want-to-do-it-at-home kind of thing.”
These types of firms also know the legal protocols if a district decides it must pay the ransom to get its data back.
Roseburg’s IT coordinator Gary McFarlane said the district learned the value of having good data backups. The district also moved to spread its risk by hosting information with outside agencies so that no one attack can get everything.
Roseburg limited outside access to its servers, including making sure temporary access windows are closed after work is done. Websites can have public access without giving a path to critical servers.
“Such an attack is painful to go through, but it’s one of those things that most of the experts I have talked to say that sooner or later most entities are going to experience,” McFarlane said. “Try to have your recovery processes in place ahead of time.”
- Jake Arnold, OSBA
jarnold@osba.org