Question: Are your computer files that important to you that you’d pay to get them back if someone stopped you from accessing them? That, in a nutshell, is the central premise of Ransomware: a type of malware attack in which a victim’s data is encrypted by attackers unless they pay a digital ransom to retrieve the decryption keys.
Ransomware is typically passed to a target by getting them to click a link or install a file that spreads the malicious code onto their machine. It can then lie dormant for a certain period of time, before wreaking havoc on the users’ system in a way that can be very difficult to reverse. Even if victims of Ransomware attacks do agree to pay up, there’s no guarantee that they will be given the necessary decryption keys or receive a guarantee that they are the only ones with ownership of their files. After all, victims are taking the word of criminals who, by their very nature, are not exactly trustworthy…
Ransomware attacks frequently target businesses. They’re not the only entities, however. In September 2020, a hacker group named Maze hit Fairfax County Public Schools in Virginia, one of the United States’ larger school systems, with a Ransomware attack. Maze emerged in mid-2019 and has been regularly carrying out blackmail attacks since then. One extra nasty facet of Maze’s Ransomware strategy is to also steal sensitive information and then, in the event that the victim does not pay the ransom as demanded, to release it online. (This behavior is increasingly widely seen in modern Ransomware attacks.)
The Fairfax County Public Schools attack took place during the first week of the new school year, a time calculated to cause maximum damage. This is especially true of 2020 due to the increasing reliance on distance and remote learning services due to the coronavirus pandemic. At a juncture at which the return to school is as stressful as it has ever been, attacks such as these can prove devastating. The Fairfax County Public Schools attack did not disrupt its distance learning tool, although it did reportedly result in the leaking of student and faculty information. To date, Maze has only released a small fraction of the data it claims to have stolen.
Fairfax County is far from alone in being targeted by Ransomware attacks. In fact, this was just one of thousands of attacks on individual schools and colleges since January this year. In June, the U.S. Federal Bureau of Investigation (FBI) even issued a security alert to K12 schools suggesting that Ransomware attacks could increasingly target school systems. It noted that hackers could seize upon schools as an “opportunistic target” at a time they were having to quickly adapt to distance learning. This necessitates opening up infrastructure to allow staff to connect remotely, meaning more Remote Desktop Protocol (RDP) accounts being set up on internal school computer systems.
The FBI’s warning proved accurate, as the Fairfax County attack demonstrated. Other similar attacks took place across the country. In Newhall School District, California, classes had to be canceled online as a result of a Ransomware attack. Similarly, Somerset Hills School District had to abandon plans for classes as a result of a Ransomware attack on a portion of its network. These were just a few of the schools targeted. While not so large districts as Fairfax County (which, due to its size, received the most press attention), all were heavily inconvenienced by Ransomware attacks at a time of extreme vulnerability.
There are several reasons why schools might be targeted in Ransomware attacks, particularly at this juncture. As noted, many are having to transition quickly to be able to offer remote access that was previously not part of their wheelhouse. Often reliant on legacy systems and lacking the necessary cutting-edge cybersecurity measures, school IT systems were frequently targeted by hackers even before COVID due to the perception that they represented low hanging fruit: promising maximum disruption for minimal work. The sensitivity of potentially leaked data, such as student identifying information, and lost services, in the form of disrupted remote learning, may also cause hackers to believe that schools will be more likely to pay up to retrieve files and system access in Ransomware attacks.
Ransomware is increasingly common
As these examples make clear, Ransomware attacks are increasingly common here in 2020, across a broad range of domains. With these attacks happening in greater numbers than ever, it’s crucial that organizations take steps to protect themselves. Fortunately, the tools exist to make this protection easier than ever, so would-be targets don’t have to worry about the risks associated with Ransomware. Some steps, such as data backups and keeping operating systems and applications updated with the latest patches, can be easily carried out without much knowledge of cybersecurity.
However, in other cases it can be worth calling in the experts. Ransomware detection systems work by carrying out real-time monitoring of suspicious, ransomware-specific read/write behavior and then quickly blocking users and endpoints from having any further access. This can help protect against attacks that might be in progress. The suspicious files will then be quarantined before they can cause damage, while also providing the necessary data to allow for a full investigation. Web Application Firewalls (WAFs) also work by detecting and blocking server-side Ransomware at the point that it tries to contact its Command & Control center.
Ransomware is bad news. By the point that you’ve lost access to your files and vital services and are, in essence, negotiating with terrorists, you have left it too late. Any organization that’s serious about its employees, customers and any other users should act right now. It’s not worth putting off for tomorrow what you can do today. The sanctity of your data depends on it.