The FBI has recently identified a primary malware that is designed to target schools. They have been tracking this since March 2020, and in March 2021 they have provided guidance on what steps to take in order to mitigate the risks associated with schools being successfully attacked. The malware in question is successfully shutting down school systems and draining squeezed budgets every week. This week, we saw the true severity of the malware attacks when a UK school was forced to close due to their systems being compromised. With this, we must ask ourselves, how should we respond to an increasingly widespread issue such as this?
What is it? What does it do?
The malware is very specific, and it is targeting K-12, independent and public/state schools, meaning that there is a wide range of organisations in the education sector at risk. It operates by disabling the antivirus software on the network, systems, servers and services, and proceeds to encrypt all connected Windows and/or Linux devices and data. This, in turn, renders all critical files, databases, virtual machines, backups, and applications inaccessible to users. Think about how many critical resources are associated with technology within your organisation, it would become virtually impossible for your school to function and uphold a sufficient level of teaching and learning.
How do I protect my school from this targeted malware?
Protecting your school in this case is about having an abundant understanding of where the threat may be coming from and where it could infiltrate your network.The FBI has published a list of email addresses and domains that are being used to target schools. Schools can use this information to ensure the email addresses / domains are blocked, therefore reducing the risk of the malware passing through into email inboxes or system services.The FBI document is available in the 'Further information and guidance' section at the bottom of this article.
Why is this important now?
The information from the FBI allows schools to put in place preventative measures to protect them from the malware that is most known to seek out and attack schools. Attackers realise that defences are generally lower during the school summer break. They also realise that there is little point in executing their attack during the summer break as there is plenty of time for the school to respond and recover. Their favoured time of attack is at the start of a new academic year or term. An attack at these times of the year places significant reputational and operational demands on schools, meaning they are quicker to pay a ransom and likely to agree to higher demands. You will notice a lull in attacks over the summer, then a surge at the start of the new academic year. Taking mitigative steps now will ensure that your school is efficiently protected against this type of malware attack.
Reducing your risk of an attack by 85%
9ine’s research tells us that taking the following steps will significantly reduce the risk of you being subjected to a successful malware attack. Here’s what we found:
- More than 50% of vulnerabilities that we identify in our cyber vulnerability assessments and penetration tests relate to update management or end of life systems. These weaknesses provide an attacker with a platform to exploit publicly known vulnerabilities to escalate their privileges once within your school network. Understanding the total number of devices, systems and services that are not up to date, and bringing them up to date, will reduce your risk by 50%.
- A further 25% reduction in risk can be achieved through robust operational processes to manage risks associated with security misconfiguration. This is where systems have been updated, but the security configuration of the system has changed as a result of the update; however the change in security protection has not been picked up by IT personnel. Think about your phone when it gets a large update. More often than not certain settings change that you weren’t aware of, the same is true for school systems and services.
- Lastly, a further 10% reduction can be achieved through strong authentication methods. We regularly see default accounts and passwords being used for peripheral system devices - yet these devices have access, through their configuration, to the school’s core systems. Default accounts and passwords are often one of the first checks for a hacker as the information on built-in accounts is publicly available on the internet. Our favourite is uninterruptible power supplies. The accounts and passwords for these are rarely changed. This gives us access to power off all services, and in some cases, gain control of the server and all data on it. It takes less than six seconds of someone’s time to change these settings and in doing so, it will protect your school.
As you can imagine, our cyber team is pretty busy, working with schools from San Francisco to Leeds (UK) to Bangkok and Tokyo to reduce their vulnerability to cyber attacks. Get in touch with us to protect yourself from an attack by joining 9ine’s community of schools and learn from our experts on education specific threats.
Join our webinar - Education Cyber: The ransom seeking malware missile attacking schools on Thursday, 17th June 2021 to learn more about this specific school hunting malware.
Further information and guidance
Request an example cyber vulnerability assessment report to understand how you should identify and manage your cyber risk.
Further information on the FBI cyber flash is available here.
The UK NCSC has updated their guidance for schools and that is available here.