Guide to Combating Ransomware and Data Extortions at Schools and Higher Education Institutions (Part 2)

What will your school do in the event of a ransomware attack? If you don’t have a clear answer, it’s time to work on your checklist. 

In part one of this series, we focused on things educational institutions can do to proactively prevent ransomware attacks. In this post, we’ll rundown some best practices to implement after an attack has been detected. 

Detection entails identifying and isolating the systems that were compromised. If necessary, take the network offline and isolate vital systems required for everyday operations. If feasible, turn off your gadgets to prevent the infection from spreading further.

Restoration entails identifying and prioritizing key systems for restoration on a clean network, as well as verifying the type of data stored on impacted systems. Keep track of systems and devices that do not appear to be impacted, so they can be deprioritized for restoration and recovery.

Note that a majority of the guidance in this series comes courtesy of the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) Ransomware Guide, which provides a valuable starting point for prevention, remediation, and restoration efforts. Definitely check out the full guide for a deeper dive.

With that said, here’s what you should do immediately in the event of an attack.

Stage 1: Detection and Analysis

1. Immediate Isolation

Time is of the essence. Upon detecting suspicious activity, immediately disconnect or power down compromised systems to prevent further spread. Prioritize isolating critical systems essential for daily operations and student learning. This might involve physically unplugging devices from the network or taking them offline at the switch level.

2. Triage for Restoration

Identify and prioritize the most essential systems that need immediate restoration, considering factors like:

• Impact on critical functions: Prioritize systems that impact your core operations, like emergency response, attendance tracking, or essential communication channels.
• Data sensitivity: Next, focus on systems that house sensitive data like student records, financial information, or research projects.
• Recovery feasibility: Consider the ease and speed of restoring specific systems from backups. 

By identifying quickly recoverable systems, you can prioritize their restoration, minimizing business disruption and data loss. Recovering critical systems first ensures core functionalities resume swiftly, reducing operational downtime and its financial impact.

3. Leverage Existing Detection Systems

If you have systems in place, analyze the log files from anti-virus, endpoint detection and response (EDR), intrusion detection/prevention systems (IDS/IPS) for signs of precursor malware, like Emotet or QakBot, indicating a potential network compromise. Early detection of these tools can help identify affected systems quickly.

4. Initiate Threat Hunting

Don’t assume initial containment stops the threat. The initial compromise you discover might just be the tip of the iceberg. Attackers often move laterally within a network, compromising additional systems and establishing persistence mechanisms before deploying ransomware. Proactively search for additional compromised systems and malicious activity beyond initial detection. Look for:

• Newly created accounts with escalated privileges or unusual activity.
• Anomalous logins or endpoint modifications affecting backups, shadow copies, or disk configurations.
• Signs of Cobalt Strike beacon/client usage, often used by attackers to maintain persistence.
• Unexpected data exfiltration attempts via unusual network traffic or tools like Rclone, Rsync, or web-based file storage services.

Early detection of additional compromised systems allows you to isolate them and prevent attackers from moving deeper into your network or exfiltrating sensitive data.

Stage 2: Reporting and Notification

5. Follow Your Plan

Refer to your pre-established cyber incident response plan for clear notification procedures. Inform internal stakeholders like IT staff, school administration, and leadership teams.

6. External Reporting

Promptly report the incident to relevant authorities as outlined in your plan. This might include CISA, FBI, local law enforcement agencies, or your cyber insurance provider. Collaborating with these entities can provide valuable assistance and expertise.

7. Get Help! 

Don’t hesitate to seek help from cybersecurity professionals with experience in ransomware response. They can provide guidance, conduct forensics, and assist with recovery efforts.

8. Communicate Carefully

Balance transparency with responsible communication. Share accurate information with stakeholders while respecting data privacy and avoiding unnecessary panic. Consider developing communication strategies for different audiences, including students, parents, and the public.

Stage 3: Containment and Eradication

9. Secure Evidence

While containment is a priority, it’s equally important to collect and preserve evidence for potential forensic analysis later. This might include system images, memory captures, log files, malware samples, and ransom notes. Follow best practices for evidence handling to maintain chain of custody and admissibility in potential legal proceedings.

10.  Stop the Ransomware

Disable ransomware processes running on infected systems and delete associated files. Always speak to a cybersecurity expert before attempting decryption; certain techniques might invalidate ransom demands without any guarantee of success.

11. Identify the Breach Source

Investigate and secure compromised accounts or systems used to gain initial access. This might involve resetting passwords, implementing multi-factor authentication (MFA), and patching vulnerabilities exploited by attackers.

12. Rebuild Clean Systems

Next, prioritize rebuilding critical systems with clean backups that haven’t been exposed to ransomware. Implement security best practices during this process, including:

• Patching all systems with the latest updates.
• Verifying backup integrity and ensuring offline storage.
• Using infrastructure as code templates for cloud resources to ensure consistency and security.

This will help the school regain some stability in operations. 

12. Address Vulnerabilities

Don’t repeat past mistakes. Conduct a thorough vulnerability assessment and remediation across your entire IT infrastructure. Patch identified vulnerabilities, update your software, and strengthen your existing security controls to prevent future attacks.

Stage 4:  Recovery and Post-Incident Activity

13. Restore Data with Caution

Carefully restore data from backups onto clean systems, prioritizing critical data and making sure that no residual malware remains before full restoration. Consider conducting test restores on isolated systems before proceeding fully.

14. Document Lessons Learned

Review the incident response process and identify areas for improvement. Document key learnings, challenges faced, etc. That way, if there is another attack, you can learn from the lessons of the past and save precious time in your response. 

Ransomware is a persistent threat – even against schools like yours. It may never happen to you, but if it does, be ready for action. Learn how Coro can protect your school against ransomware and other threats. 

*** This is a Security Bloggers Network syndicated blog from Blog – Coro Cybersecurity authored by Kevin Smith. Read the original post at: https://www.coro.net/blog/guide-to-combating-ransomware-and-data-extortions-at-schools-and-higher-education-institutions-part-2