Imagine you arrive at your school one day to find all of your computers padlocked, and a man in a mask is demanding $5,000 per computer to unlock them. If you don’t pay up, you’ll lose access to all of the data on each of those computers—forever. For Horry County Schools, the third largest school district in South Carolina, this nightmare became its reality. Horry County Schools is one of the most recent victims of crypto-ransomware, a type of malware that encrypts/scrambles files and holds them for ransom.
If your district gets infected with crypto-ransomware, you face two very hard choices: either spend multiple days recovering the locked files from potentially out-of-date backups—during which time you’ll endure user downtime—or pay a ransom to an organized crime syndicate. In this unfortunate event, the data on 25 Horry County School servers was encrypted and rendered inaccessible. This story ends with the district paying $8,500 to obtain the encryption key.
In this article, I’ll explain more about the threat of crypto-ransomware. I’ll explore why educational institutions need to be concerned, what the true costs of crypto-ransomware look like, and some basic prevention and containment techniques that you should have in place.
The sad reality is that it’s increasingly likely that your district will get hit by a ransomware attack. After you read this article, I hope you’ll know what you need to put a business continuity plan into place.
The scope of the threat
While paying $8,500 isn’t insignificant, payment of the ransom is actually the least of a district’s worries. In fact, when IT staff were asked to rank the impact of the crypto-ransomware outbreaks they stated that the biggest loss is in fact the staff/instructor/administrator downtime that’s the most detrimental. But why?
Once a computer is discovered to have crypto-ransomware, it must be immediately isolated from its network to keep the malware from spreading. This brings that computer’s user or users to a standstill. They can’t get their work done.
The infected users—and everyone who relies on them—enter a holding pattern while IT re-builds their computers and restores their files from backup (if available). Even if they could access their files through alternate devices, the files themselves are encrypted – scrambled, and therefore unusable. This makes the downtime inflicted by ransomware far more detrimental than the actual cost of the ransom.
The worst part is that the downtime typically lasts for days. 72 percent of crypto-ransomware victims lost access to their files for at least two days, with 32 percent losing file access for five days or more.
Are schools really at risk?
In the past, crypto-ransomware generally infected home users. However, crypto-ransomware is a “spray and pray” operation for hackers, meaning no one is immune. And data supports that organizations of all sizes are facing huge risks.
In fact, 89 percent of the organizations hit by crypto-ransomware were 10 people or more, and 60 percent were bigger than 100 people.
Once inside your network, crypto-ransomware may try to propagate before you realize you’re infected; even worse, traditional anti-virus software often doesn’t detect it. Some variants send emails or open chat windows and/or place infected files into shared folders.
It’s not surprising, then, that crypto-ransomware usually affects multiple victims within an organization. Data says that 75 percent of outbreaks affect three or more people, while 4 percent of outbreaks spread to at least 20 individuals.
Schools, in particular, at are risk. Educational organizations typically share similar network architectures, which results in common network vulnerabilities that offer hackers economies of scale. They often place public computers (like library and classroom workstations) on the same networks as administrative computers, meaning that an infection could be inadvertently introduced by a student. In addition, schools upgrade their systems less frequently than businesses and are less likely to keep their software up to date. They are also less likely to have backups.
Without vulnerability management programs in place, schools are inviting attackers into their environments. Some schools are exploring greater security measures—Horry County Schools was reported to be in the middle of a study when they were hit—but crypto-ransomware is here now. Districts should expect outbreaks to increase – both in frequency and in the ransom amounts being demanded.
Preventing your district from becoming the next victim
Should your school experience a crypto-ransomware outbreak, you have two choices: you can pay the ransom, or you can try to restore the locked files from backup.
While the FBI often advises paying ransoms in crypto-ransomware cases, paying the ransom may not always be the best solution. It can be difficult to acquire the Bitcoin currency in which hackers want to be paid. And it is worth noting that 19 percent of companies that pay still don’t get their files back. Even if you are successful, you’ll still need to wipe and restore the infected computers to remove all traces of the virus—which results in even more downtime.
If you have backups, you may be able to avoid payment. But the restoration process is still very time-consuming. Cloud backup provider Carbonite reports a restore rate of 10 Mbps, which means a 50 GB file archive will take around 12 hours to recover.
If you haven’t considered man-made malware threats as part of your district continuity planning, then you’ve done your district a major disservice. It’s no longer about IF you get hit by crypto-ransomware, but when.
Disaster preparedness: what to be thinking about
With the right file management system in place, it’s possible to transform a ransomware outbreak from a major disaster to a mild disruption. Business continuity during a crypto-ransomware outbreak can be achieved through two key capabilities. First, users and administrators need to have the ability to instantly roll back their file sets to any date and time. As a result, they can easily restore their files to their pre-infected state. Second, users need to be able to access their files using alternate devices, even while IT is wiping and restoring the infected computer.
As a result, ransomware recovery becomes a manageable 3-step process:
1. Close and isolate the infected computer(s) to prevent further spreading.
2. Roll back the user’s file archive to the moment just before the infection.
3. Get the user back to work using an alternate device while the original machine is being wiped and restored.
With continuity planning, users remain productive during a crypto-ransomware attack, IT can focus on containment and prevention, and the school district can avoid lost productivity and negative publicity.
Plus, there’s no longer a need to pay the ransom.
Where do you start with crypto-ransomware preparations?
Start by asking this question: “What is our appetite for risk as a district?”
If all of your teachers were to get hit by ransomware, but your servers and administrators were safe, would that be an acceptable level of impact to you? If so, that could be a great place to start your deployment.
In other words, what degree of loss can you afford? Make sure that your district is having these discussions so you can create plans that properly mitigate against irreparable losses before they happen.
Not in a position to put new tools in place just yet? While you’re discussing your ransomware strategy and your district’s policies around paying a potential ransom, start regularly educating your employees about the threat of crypto-ransomware now.
Jonathan Levine is the CTO of Intermedia. For more information about how to prevent, contain and circumvent crypto-ransomware outbreaks, visit www.intermedia.net/ransomware.