Guide to Combating Ransomware and Data Extortions at Schools and Higher Education Institutions (Part 1)

Ransomware is a type of malicious software that encrypts your files, rendering them inaccessible and unusable. Students or staff may unknowingly access malicious content, often through phishing emails, infected websites, or vulnerable software. This allows the ransomware to infiltrate your system.

The ransomware silently encrypts your files, including documents, photos, videos, and even system files. You’ll typically see a message on your screen demanding a ransom payment in exchange for the decryption key.

Faced with the loss of your precious data, you’re put under immense pressure to pay the ransom. However, experts often advise against it, as there’s no guarantee you’ll regain access, and it encourages cybercriminals. 

And while ransomware attacks can hit any organization, K12 and higher education institutions are the biggest targets

80% of schools have been subjected to ransomware attacks in 2023, up from 56% the previous year. The University of California and the Broward County Public Schools, the Athens Independent School District, Affton School District, Imperial Valley College, the University of Utah, and our second-largest school district, the Los Angeles Unified School District in California, have all been victims in recent years.

Ransomware attacks can shut schools down for days or even weeks and lead to devastating financial losses. Suffice it to say, it’s best to prepare. The Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) have created a best practice Ransomware Guide to equip you and your school against the ever-growing threat of ransomware. 

If you work at a K12 school, college, or university, this article has gathered some best practices to proactively implement to prevent a ransomware attack, courtesy of CISA.  Check out the second part of our guide, which focuses on what to do after an attack was been detected.

1. Data Backup and Recovery

Maintain regular, encrypted backups of student data, staff data, and critical system configurations. This includes offline backups on secure storage devices (e.g., external hard drives) and cloud-based backups with strong access controls. Test backups regularly to ensure data integrity and restore functionality and develop a clear process for restoring data from backups in case of an attack.

2. Infrastructure Management

Wherever possible, minimize reliance on cloud resources due to limited IT expertise in schools. Explore self-hosted or managed solutions when possible. It’s important to 

regularly update and patch all systems (including laptops, desktops, and servers) with the latest security fixes. Consider network segmentation to isolate critical systems from non-essential ones.

Network segmentation can be achieved by implementing physical separation using firewalls and routers, logical separation using VLANs (Virtual Local Area Networks), or software-based micro-segmentation tools.

Firewalls or access control lists (ACLs) are used to define rules for what traffic can flow between different segments. This allows critical systems to communicate only with authorized devices and services while restricting access from non-essential systems.

Each segment’s traffic is monitored for suspicious activity, making it easier to detect and respond to potential threats before they impact critical systems.

3. Incident Response Planning

Develop a school-specific cybersecurity incident response plan outlining actions to take in case of an attack and ensure the plan complies with data breach notification laws in your state. Clearly define what constitutes a security incident in your organization, including data breaches, malware infections, unauthorized access attempts, etc., and

assign specific roles and responsibilities to each team member involved in the incident response process, including incident commander, technical analyst, communications lead, etc.

Be sure to prepare communication plans for notifying affected parties (students, parents, staff) promptly and transparently to mitigate physical and reputational damage. 

4. Security Measures

Implement multi-factor authentication (MFA) for all administrative accounts and student accounts where possible. Restrict remote desktop access to authorized personnel only with strong passwords and MFA. Always use web filtering and email filtering solutions to block malicious content and phishing attempts.

5. Credential Management

Enforce strong password policies with minimum length, complexity, and regular change requirements. Think of the qualities of a good password: 

  • Length: It should be at least 12 characters long. The longer, the better.
  • Complexity: Use a combination of uppercase and lowercase letters, numbers, and symbols.
  • Uniqueness: Create a unique password for each account. Never reuse passwords!
  • Unpredictability: Avoid using dictionary words, personal information, or common phrases.

Consider using password managers for complex password generation and secure storage.

It’s always a good idea to implement phishing simulations to educate students and staff on identifying suspicious emails.

6. Phishing Prevention

Educate students and staff on phishing awareness and safe online practices. Integrate cybersecurity awareness into the curriculum or staff development programs. Regularly update training materials to reflect evolving threats and encourage students and staff to ask questions and report suspicious activity without fear of judgment. Use engaging communication channels like posters, newsletters, and social media to keep cybersecurity awareness top-of-mind.

Use domain-based message authentication (DMARC) to prevent email spoofing. 

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a powerful tool against email spoofing, a common phishing tactic. It authenticates emails sent from your domain, preventing attackers from forging sender addresses. Implementing DMARC involves:

Set up DMARC policies that tell receiving mail servers how to handle emails that fail authentication. Options include quarantining or rejecting them. DMARC reports provide insights into email authentication attempts, helping you identify and address potential threats.

7. Prevention Against Social Engineering

Conduct regular cybersecurity awareness training for students, staff, and parents. Use protective DNS services to block access to known malicious websites.

8. Third-Party Risk Management

Schools rely on numerous third-party vendors, from transportation providers to software companies, to function effectively. However, these partnerships introduce third-party risk, the potential for harm caused by vulnerabilities, or security breaches within partner organizations. Protecting sensitive student data, faculty information, and school systems requires proactive Third-Party Risk Management (TPRM) practices.

Evaluate potential vendors thoroughly before onboarding them. This includes assessing their security practices, data privacy policies, and past breach history.

Establish clear contracts that outline vendor security obligations, data handling procedures, and incident response protocols, continuously monitor vendor performance, and conduct regular security assessments to identify potential risks and ensure compliance.

9. Follow General Best Practices

There are a few general best practices that every school should follow: 

  • Identifying all devices: This includes laptops, desktops, tablets, servers, printers, smartboards, and even classroom robots! Track serial numbers, models, and locations.
  • Mapping software licensing: Know what software you have, who uses it, and its expiration dates.
  • Documenting user accounts: List all accounts used by students, staff, administrators, and even third-party vendors.
  • Assigning specific access levels: Students only access learning tools, teachers manage grades, and admins have broader access.
  • Limiting administrative rights: Minimize accounts with full system control.
  • Enforcing granular permissions: Control access to specific files, folders, and functionalities within applications.

The benefit? Fewer users with extensive access means fewer potential entry points for attackers. If one account is compromised, the attacker’s reach is limited. You’ll also have a clearer understanding of who has access to what data.

10. Log Management

Log management involves collecting, storing, analyzing, and securing logs generated by various systems like servers, devices, applications, and network equipment. These logs contain valuable information about system activity, including:

  • User logins and access attempts
  • File modifications and data transfers
  • Software installations and updates
  • Security events and anomalies

Make sure to retain and secure logs from critical systems (network devices, servers, student devices) for at least a year. Keep monitoring logs for suspicious activity and investigate potential security incidents.

Tips To Remember

Bear in mind that you’ll need to adapt these practices to your school’s specific needs and resources. If possible, get guidance from cybersecurity experts or educational technology organizations. All aspects of cybersecurity – particularly ransomware prevention – need to be reviewed and updated so you can stay ahead of evolving threats. 

And if you’re looking for an effective and affordable cybersecurity solution, check out Coro.