What will your school do in the event of a ransomware attack? If you don’t have a clear answer, it’s time to work on your checklist.
In part one of this series, we focused on things educational institutions can do to proactively prevent ransomware attacks. In this post, we’ll rundown some best practices to implement after an attack has been detected.
Detection entails identifying and isolating the systems that were compromised. If necessary, take the network offline and isolate vital systems required for everyday operations. If feasible, turn off your gadgets to prevent the infection from spreading further.
Restoration entails identifying and prioritizing key systems for restoration on a clean network, as well as verifying the type of data stored on impacted systems. Keep track of systems and devices that do not appear to be impacted, so they can be deprioritized for restoration and recovery.
Note that a majority of the guidance in this series comes courtesy of the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) Ransomware Guide, which provides a valuable starting point for prevention, remediation, and restoration efforts. Definitely check out the full guide for a deeper dive.
With that said, here’s what you should do immediately in the event of an attack.
Time is of the essence. Upon detecting suspicious activity, immediately disconnect or power down compromised systems to prevent further spread. Prioritize isolating critical systems essential for daily operations and student learning. This might involve physically unplugging devices from the network or taking them offline at the switch level.
Identify and prioritize the most essential systems that need immediate restoration, considering factors like:
By identifying quickly recoverable systems, you can prioritize their restoration, minimizing business disruption and data loss. Recovering critical systems first ensures core functionalities resume swiftly, reducing operational downtime and its financial impact.
If you have systems in place, analyze the log files from anti-virus, endpoint detection and response (EDR), intrusion detection/prevention systems (IDS/IPS) for signs of precursor malware, like Emotet or QakBot, indicating a potential network compromise. Early detection of these tools can help identify affected systems quickly.
Don’t assume initial containment stops the threat. The initial compromise you discover might just be the tip of the iceberg. Attackers often move laterally within a network, compromising additional systems and establishing persistence mechanisms before deploying ransomware. Proactively search for additional compromised systems and malicious activity beyond initial detection. Look for:
Early detection of additional compromised systems allows you to isolate them and prevent attackers from moving deeper into your network or exfiltrating sensitive data.
Refer to your pre-established cyber incident response plan for clear notification procedures. Inform internal stakeholders like IT staff, school administration, and leadership teams.
Promptly report the incident to relevant authorities as outlined in your plan. This might include CISA, FBI, local law enforcement agencies, or your cyber insurance provider. Collaborating with these entities can provide valuable assistance and expertise.
Don’t hesitate to seek help from cybersecurity professionals with experience in ransomware response. They can provide guidance, conduct forensics, and assist with recovery efforts.
Balance transparency with responsible communication. Share accurate information with stakeholders while respecting data privacy and avoiding unnecessary panic. Consider developing communication strategies for different audiences, including students, parents, and the public.
While containment is a priority, it’s equally important to collect and preserve evidence for potential forensic analysis later. This might include system images, memory captures, log files, malware samples, and ransom notes. Follow best practices for evidence handling to maintain chain of custody and admissibility in potential legal proceedings.
Disable ransomware processes running on infected systems and delete associated files. Always speak to a cybersecurity expert before attempting decryption; certain techniques might invalidate ransom demands without any guarantee of success.
Investigate and secure compromised accounts or systems used to gain initial access. This might involve resetting passwords, implementing multi-factor authentication (MFA), and patching vulnerabilities exploited by attackers.
12. Rebuild Clean Systems
Next, prioritize rebuilding critical systems with clean backups that haven’t been exposed to ransomware. Implement security best practices during this process, including:
This will help the school regain some stability in operations.
Don’t repeat past mistakes. Conduct a thorough vulnerability assessment and remediation across your entire IT infrastructure. Patch identified vulnerabilities, update your software, and strengthen your existing security controls to prevent future attacks.
Carefully restore data from backups onto clean systems, prioritizing critical data and making sure that no residual malware remains before full restoration. Consider conducting test restores on isolated systems before proceeding fully.
Review the incident response process and identify areas for improvement. Document key learnings, challenges faced, etc. That way, if there is another attack, you can learn from the lessons of the past and save precious time in your response.
Ransomware is a persistent threat – even against schools like yours. It may never happen to you, but if it does, be ready for action. Learn how Coro can protect your school against ransomware and other threats.