School ransomware: A threat to be aware of

Ransomware that targets schools is a threat that needs to be understood, explains ESET's Lysa Myers. Top cybersecurity efforts are needed to keep it at bay.

Ransomware that targets schools is a threat that needs to be understood, explains ESET’s Lysa Myers. Top cybersecurity efforts are needed to keep it at bay.

It can often feel like every day brings news stories about ransomware attacks on businesses, particularly at hospitals and schools. While the life-or-death nature of hospital data might force some healthcare organizations to accede to criminals’ demands in hopes of restoring access to that data as quickly as possible, some schools are also falling prey to these demands.

Paying criminals is never a good idea, even when it seems expedient. Ransomware authors are under no obligation to actually give you what you pay for, and there have been plenty of cases where either the decryption key did not work or the ransom note never even appeared. Suffice it to say that cybercriminals are not generally renowned for their excellent software testing or devotion to quality customer service.

There are plenty of things that you can do now that will help you avoid a school ransomware problem entirely, and there are even a few things you can do that might help repair the damage so you don’t have to fork over ransom money.

What makes schools unique?

In a way, schools are like small cities: they often have healthcare clinics, stores, restaurants, sometimes even banks, plus they have accountants, administrators, etc. They have various types of company and personal financial data, healthcare information, student and staff records – all of which are very sensitive and thus very lucrative to criminals.

Ransomware is a special situation within malware, where data are not necessarily exfiltrated from a victim’s system (as with other kinds of modern malware). Instead, access to that data is interrupted. If you’ve ever had to deal with the disquiet of a student or teacher under deadline, you know that while timely access may be less a matter of life and death than in a hospital, it’s still absolutely crucial in a school.

And while hospitals are fairly limited as to which devices are approved to enter the network, schools generally encourage their users to bring their own devices. This brings a higher level of challenge, as an untold number of unmanaged machines are connecting to the network each day.

What can you do about it school ransomware

school ransomware

Let’s start with the things you can do in advance to help prevent malware from getting on your system in the first place, and to minimize damage if it does happen.

Back up your data

The single most important thing you can do to prepare for emergencies, including being affected by ransomware, is having a regularly updated and secured backup. Many ransomware variants will encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores to which you have assigned a drive letter. So your backup needs to be on an external drive or backup service, one that is not assigned a drive letter, and that is disconnected from your systems and network when not in use.

Keep your software up to date

Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to get onto your system unobserved. It can significantly decrease the potential for malware infection if you make a practice of updating your software often. Enable automatic updates if you can, update through the software’s internal update process, or go directly to the software vendor’s website. Malware authors sometimes disguise their creations as software update notifications, so by going to known to be good software repositories you can increase the odds of getting clean, vetted updates. On Windows, you may wish to double-check that old – and potentially vulnerable – versions of the software are removed, by looking in Add/Remove Software within the Control Panel.

Use a reputable security suite

It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently update their creations to try and avoid detection, so it is important to have both layers of protection. If you run across a ransomware variant that is so new that it gets past anti-malware software, it might still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.

Use the Principle of Least Privilege

“No users or systems should have more access than is necessary to complete tasks that are legitimately within the scope of their work.”

The Principle of Least Privilege says that no users or systems should have more access than is necessary to complete tasks that are legitimately within the scope of their work. As a general rule, most users should not have administrative rights on their machines, and should be limited in their ability to access resources outside of their own purview. Students should have different access levels than teachers, who should have different access than administrators. Personal devices brought from home should also be treated differently from machines that always remain within the school network. If appropriate barriers are in place, you can slow or halt the spread of malware.

Educate your users

While accidents do happen, it is important for all of your users to understand what acceptable use of school resources entails. This is something that should not just be done once at the beginning of the year and forgotten by the time midterms come around. It should be an exercise that is revisited frequently. Posters or other educational materials can be displayed prominently, wherever public computers or internet connections are available. It is also imperative to encourage your users to let you know when an accident has occurred, so that damage can be limited by quick corrective action. Rewarding safer security behavior, including pointing out problems, can help you to foster an encouraging environment.

The next few tips are to help you deal with the methods that current ransomware variants have been using – these tips may not help in every case, but they are inexpensive and minimally intrusive ways to cut off access routes used by a variety of malware families.

Disable macros in Microsoft Office files

Most people may not be aware that Microsoft Office Files are like a file system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.

Show hidden file-extensions

One popular method malware uses to appear innocent, is to name files with double extensions, such as “.PDF.EXE”. This takes advantage of default behavior within Windows and OS X of hiding known file-extensions, Malware takes advantage of this behavior to make a file appear to be one that would commonly be exchanged. If you enable the ability to see the full file-extension, it can be easier to spot suspicious file types.

Filter EXEs in email

If your gateway mail scanner has the ability to filter files by extension, you may wish to deny emails that arrive with “.EXE” files, or to deny emails sent with files that have two file extensions, the last one being executable (For example, “Filename.PDF.EXE”). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can send them within ZIP files or via cloud services. Sending in ZIP files can also give you an extra layer of assurance, as it allows you to choose an official, universal password for use within the company, which can help you identify unofficial files.

Disable files running from AppData/LocalAppData folders

You can create rules within Windows or with Intrusion Prevention Software, to disallow unique behavior often used by ransomware, which is to run its executable from the App Data or Local App Data folders. If you have legitimate software that you know is set to run from the App Data area (note that this is fairly unusual behavior, and most legitimate software will allow you to choose another install location), you will need to add an exclusion from this rule.

Disable RDP

Ransomware malware sometimes accesses machines using Remote Desktop Protocol (RDP), which is a Windows utility that allows others to access your desktop remotely. If you do not need use of RDP in your environment, you can disable it to protect your machines. For instructions on how to do so, visit the appropriate Microsoft Knowledge Base article below:

If you find yourself in a position where you have already run a ransomware executable without having taken any of the previous precautions, your options are more limited. There are a few things you can still do that might help mitigate the damage:

Check to see if a decryptor is available

Sometimes malware authors make mistakes and decryptors can be created. Other times, malware authors feel remorse for their actions or stop development on a particular ransomware family, and then release a decryption key. It’s worth a quick internet search to see if the solution to your problem is available for free, from a reputable source.

Disconnect from WiFi or unplug from the network immediately

If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finishes encrypting your files. If you disconnect yourself from the network immediately you might decrease the number of files that it can encrypt.

Use System Restore to get back to a known-clean state

If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. Many ransomware variants will prevent this from succeeding, but it doesn’t hurt to try.

Set the BIOS clock back

Some ransomware variants have a payment timer that increases the price for your decryption key after a set time. You may be able to give yourself additional time by setting the BIOS clock back to a time before the deadline window is up.

Criminals know that the data under the care of schools are very valuable to students and staff, and this makes them a potentially lucrative target. And once a target has been identified as vulnerable, the odds increase that criminals will return to attack them again (especially with school ransomware). By taking the time to prepare before an emergency happens, you can minimize the risk of losing access to your data or of having to pay criminals to regain it.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center