Protecting Your School From Ransomware

A recent ransomware attack prompted the shutdown of all computers and internet servers across the Las Cruces Public Schools. The IT department discovered that some of the District’s servers were compromised and they quickly shut down the district’s entire computer network in order to contain the virus. Even if a ransomware attack is caught early, recovering from the attack can take significant time and effort.

Ransomware is a type of malicious software, or “malware,” through which cyber criminals take remote control of computer systems and threaten to destroy, share, or retain information and data unless the owner of the system pays a ransom. As the Federal Trade Commission explains, attackers can employ a ransomware attack in several different ways, including through phishing emails, exploiting server vulnerabilities, infected websites that download malware onto a system, or online ads—even on trusted websites.

There are several steps schools can take to protect against and limit the impact of such attacks.

How do I protect my school against ransomware?

US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing. Install antivirus software, firewalls, and email filters—and keep them updated—to reduce malicious network traffic.
  • Restrict users’ ability (permissions) to install and run unwanted software applications and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
  • Use caution with links and when entering website addresses. Be careful when clicking directly on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact your organization's helpdesk, search the internet for the sender organization’s website or the topic mentioned in the email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website addresses often appear almost identical to legitimate sites, often using a slight variation in spelling or a different domain (e.g., .com instead of .net).
  • Open email attachments with caution. Be wary of opening email attachments, even from senders you think you know, particularly when attachments are compressed files or ZIP files.
  • Keep your personal information safe. Check a website’s security to ensure the information you submit is encrypted before you provide it.
  • Verify email senders. If you are unsure whether an email is legitimate, try to verify the email’s legitimacy by contacting the sender directly. Do not click on any links in the email. If possible, use a previous (legitimate) email to ensure the contact information you have for the sender is authentic before you contact them.
  • Inform yourself. Keep yourself informed about recent cybersecurity threats and up to date on ransomware techniques. You can find information about known phishing attacks on the Anti-Phishing Working Group website. You may also want to sign up for CISA product notifications, which will alert you when a new Alert, Analysis Report, Bulletin, Current Activity, or Tip has been published.
  • Train your organization. Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails.

How do I respond to a ransomware infection?

  • Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected whether wired or wireless.
  • Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
  • Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

Immediately report the ransomware attack to both the New Mexico Public Education Department as well as your insurance carrier. Every insurance policy is considered a contract creating obligations for both the insured and the insurer. It should be noted that the cyber liability carrier for NMPSIA requires that any claims be filed within the policy year or they will be automatically denied.

Training

Poms & Associates has an online training available at no additional cost to your organization.

Cybersecurity: Practical Steps to Avoid Risk

The main objective of this training course is to describe common cybersecurity threats and what you can do to prevent them from happening to you at work or at home. At the end of the session you will be able to identify various types of cyber threats, such as malware, phishing and spam, and how to protect yourself when using email, social media, instant messaging and other communication systems. (Duration: 21:59)

It covers:

  • Basic cybersecurity concepts
  • Authentication
  • Malware, viruses, and ransomware
  • Mobile devices
  • Phishing
  • Social media