ED warns schools of another widespread ransomware attack

In light of a recent widespread ransomware attack, the U.S. Education Department is asking schools and districts to take measures to protect data and reinforce IT systems, and if any schools were victimized, to contact the agency’s Privacy Technical Assistance Center for help.

ED issued an alert on June 28 saying the United States Computer Emergency Readiness Team has received “multiple reports” of Petya ransomware infections across the world. ED referred to a notice issued by US-CERT, saying it contains information that could help schools and local educational agencies protect themselves.

“Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine until a ransom is paid to unlock it,” the statement said. “Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”

Petya ransomware, US-CERT officials explained, “encrypts the master boot records of infected Windows computers, making affected machines unusable.”

“Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block,” a service that is universally available for Windows systems, they added. Legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems, according to the US-CERT website.

Officials urged users to review US-CERT articles on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010 for additional information.

ED officials also urged school leaders to review US-CERT Alert TA16-091A for general advice on how to best protect against ransomware.

For example, they advise users not to follow “unsolicited” web links in emails, and to employ data backups and recovery plans for critical information. Petya infected computers when users clicked on links or opened attachments from senders they didn’t know.

ED asked school officials to report any ransomware incidents to the Internet Crime Complaint Center at https://www.ic3.gov/default.aspx, as well as PTAC at PrivacyTA@ed.gov.

‘One class of cyber threat’

Doug Levin, founder and consultant with EdTech Strategies LLC said ransomware is “only one class of cyber threat facing schools,” and that “good IT security practices and advice should apply to ransomware as well as other threats.”

He also said in an email that ransomware “has the potential to hold a school [system’s] IT assets hostage and disrupt operations.”

Levin created the K-12 Cyber Incident Map, which identifies the numerous U.S. K-12 public schools reporting any cyber security-related incidents in the last year that resulted in the “disclosure of personal information, the loss of taxpayer dollars, and the loss of instructional time.” Ransomware attacks are among the incidents cited on the map.

He said the most notable example of a ransomware attack in the K-12 sector occurred in Horry County Schools in South Carolina — a school system that had to pay $8,500 to get their data back in a districtwide ransomware attack. While the school system paid the ransom to get their systems restored, Levin said law enforcement does not routinely endorse paying the ransom.

The cyber threat was the topic of a hearing held last year by the Senate Judiciary Committee Subcommittee on Crime and Terrorism, in which the subcommittee panel heard testimony from Charles C. Hucks, executive director of technology for Horry County Schools.

According to Hucks, the district had experienced a few small, isolated ransomware incidents previously, as a result of individual users clicking a link and opening an attachment. But the incident that struck on Feb. 8, 2016, was much more pervasive, he said.

At the time, the price for the keys to unlock the ransomed data — payable in the digital currency Bitcoin — was 1.5 Bitcoin — roughly $850 — for one computer, or 22 Bitcoin — about $8,500 — for all computers.

“There is a lot of general advice on ransomware, but it would be a mistake for schools to think that hardening their systems against a ransomware attack specifically is sufficient guard for all types of threats,” Levin said in an email. “To my knowledge, there is no well-regarded set of K-12 specific cybersecurity guidance or standards for use by schools — and I think that is a problem.”

Emily Ann Brown covers education technology and STEM education issues for LRP Publications.

Copyright 2017© LRP Publications, Education Daily®