In Ransomware, the Kids Aren’t All right. The Taxpayers aren’t Either.
According to their website, the Judson Independent School District in Texas discovered on June 17, 2021, that it was victimized by ransomware. The attack made unavailable the district’s critical systems including telephone and e-mail services. A district call center was set up to coordinate summer school, among other activities, and e-mail communications from the district using newly created Gmail accounts were met with skepticism from parents. To end the chaos and restore its critical systems, the district paid $547,045.61[1] in ransom, saying that it had, “…no other choice,”[2].
Having contacted law enforcement from local to federal, as well as private cybersecurity experts after discovering the attack[3], it’s difficult to argue that the district overlooked a better option in the crisis before paying the ransom. The better options were only available before the attack. But the Judson ISD did have another choice. It could have rebuilt its systems from scratch. Following the Colonial Pipeline attack in the spring of this year, some politicians and cybersecurity leaders began to advance the idea that payment of ransomware should be made illegal[4][5]. Those who support a payment ban argue primarily that the payments encourage additional attacks – that is, the payments incentivize attackers by making ransomware attacks profitable[6]. Banning ransomware payments is shortsighted for a variety of reasons but would mean to organizations like the Judson ISD that they either have a disaster recovery plan that allows them to recover data and systems from backup or re-build all compromised systems from scratch and likely accept a loss of data, reducing Judson’s options for resolution. The choice that Judson would have faced with a payment ban in place would have likely resolved similarly to the 2018 ransomware attack on the City of Atlanta where the city spent more than $2.5 million dollars to rebuild systems rather than paying $52,000 in ransom[7][8]. But this isn’t a post about what to do as a cyber attack ravages your systems and data. All of your options at that point in the absence of solid cybersecurity disaster preparedness are so bad that, as JISD put it, they feel like no option at all.
The attack on the Judson ISD also produced a loss of control by the district of sensitive data about approximately 23,000 children. While large by itself, the scope of the Judson ISD ransomware attack represents a shrinking piece of the threat to K-12 school districts in the United States that has reached staggering proportions. According to the U.S. Cybersecurity & Infrastructure Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC), ransomware attacks against K-12 districts represented 57% of all reported cybersecurity incidents in August and September of 2020, up from 28% between January and July 2020[9]. Whether the rise in attacks on K-12s represents perceived opportunity due to the pandemic-driven shift toward e-learning or just a fertile ground for cyber-attack, American K-12 districts are trying to expand their cyber functionality for e-learning while trying to secure their systems and data. The cybersecurity situation facing K-12 sysadmins is daunting, but solid preparation and integration of cybersecurity practices into the fabric of IT in the districts are the best option to prevent, detect, and blunt the impact of cyberattacks.
The first step in creating options in the event of a cyber attack is to adopt the mindset that your organization will experience successful cyber attacks. In this context, we’ll define a successful attack as one in which unauthorized access to district systems or data is achieved. Once unauthorized access is achieved in your thought exercise, think about how bad the consequences could be. Sysadmins should spend some time investigating publicly reported cybersecurity incidents to gain perspective, but they should also participate in groups of cybersecurity professionals that share information about threats they’ve encountered. Join MS-ISAC, your state’s group of K-12 Chief Technical Officers (if one exists), InfraGard, etc. I recently observed a grassroots sharing of cybersecurity threat information among K-12s, local governments, and universities in several states. An Internet-facing compromise was discovered by a local government in one of its own software applications. In turn, the sleuths were able to find other compromised organizations through an Internet search and began to notify them of the compromise and provide several solutions. By sharing this incident and potential solutions, those who participated in sharing helped to mitigate the subject threat, but also widened the threat perspectives of all organizations. With clearer eyes and active threat intelligence feeds, K-12 district IT leaders can develop a more accurate understanding of the cybersecurity threats facing them.
The development of an accurate understanding of the cybersecurity threat environment is often a panic-inducing experience. As you’re hyperventilating into a paper bag, you’re probably thinking of your worst-case disaster scenarios. This is a great time to start your district’s cybersecurity disaster recovery, incident management, and emergency operations plans. Start classifying your systems and processes. Which are mission-critical? (If thinking about the loss of a system has you reaching for that paper bag, it’s critical.) It’s not enough to back up those systems. You must regularly verify that your backups work, keep offline copies, document disaster recovery, incident management, and emergency operations plans with specific detail, and then test these plans in as realistic conditions as you can produce. Plan exercises help you realize that your plan attempts to communicate a loss of the organization’s e-mail server by sending e-mail from that server. Your organization may already have these plans in place in preparation for non-cyber incidents. If that’s the case, you can modify existing plans to encompass IT disasters. If not, you’ll provide your district with an even more valuable service. The COVID-19 pandemic, at least, created processes for a disaster involving the loss of school buildings. Documenting these processes and considering them in terms of IT assets can be a huge first step in IT disaster planning. Strong disaster recovery planning is the best chance to give your district the options during a cybersecurity incident that Judson ISD felt it lacked. So, get to it! Here are some resources that can support your efforts.
MS-ISAC - https://www.cisecurity.org/ms-isac/
The K-12 Cybersecurity Resource Center - https://k12cybersecure.com/
CISA - https://www.cisa.gov/stopransomware/k-12-resources
Ready.gov - https://www.ready.gov/it-disaster-recovery-plan
Sources:
[1] Technology Update / Technology Update (judsonisd.org)
[2] Ibid.
[3] Ibid.
[4] https://www.npr.org/2021/05/13/996299367/how-to-stop-ransomware-attacks-1-proposal-would-prohibit-victims-from-paying-up
[5] https://www.nbcnews.com/politics/meet-the-press/sec-granholm-backs-ban-ransomware-payments-you-are-encouraging-bad-n1269776
[6] https://www.npr.org/2021/05/13/996299367/how-to-stop-ransomware-attacks-1-proposal-would-prohibit-victims-from-paying-up
[7] https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/
[8] https://www.wsbtv.com/news/local/atlanta/ransomware-attack-cost-city-27-million-records-show/730813530/