At about 6:30 in the morning on a Monday last year, Brad Stewart got a text informing him that a principal of one of Lufkin ISD’s schools couldn’t log into the system.
After Stewart, the chief technology officer of the Texas district, got to his office, he learned the problem was much more extensive than that one principal’s inability to log in.
On the previous Friday evening hackers based in the Netherlands had gained control of four of the district’s security camera servers, and with that access, moved and encrypted district data all weekend. By Monday morning all the district’s virtual servers had been encrypted, essentially shutting down everything that relied on technology. The hackers were asking for $1.5 million dollars in bitcoin to restore the stolen data.
“When you take an entire network down, you lose things like time clocks, you lose things like air conditioning, you lose a way to check students in and out, you lose grades,” Stewart says. “Everything was down. It really left us paralyzed.”
Stewart and his team were able to restore basic services within a couple of weeks and worked tirelessly over the next six months to get most everything back online and to ensure the district would be less vulnerable in the future. For these efforts, Stewart was given an award for Best Implementation of Data Privacy at the Tech & Learning Innovative Leader Awards in Texas.
Ever since his district’s ransomware attack experience, Stewart, who is the Texas Computer Education Association Area 7 director, has been sharing the story so other districts can avoid going through what his district experienced.
1. School Ransomware Attack: Get 24-Hour Protection
Many districts don’t have the funding to have a staff member monitor servers 24 hours per day to prevent a ransomware attack. Hackers know this, which is why they tend to target schools on weekends and holidays, Stewart says.
To stop such attacks, Stewart recommends hiring a 24/7 monitoring service so someone can always spot strange activity. “If I had known they were starting to make changes that Friday night, which would have shown up with 24/7 monitoring, we could have pulled the plug and prevented everything,” Stewart says. “I've actually given the people that run that service the ability that if we see a ripple, anything, pull the plug, let's figure it out in the morning.”
2. Make Sure You Have Strong Backups
Once you have 24-hour protection, the next step to preventing and overcoming a ransomware attack is backing up data. “Make sure you have good backups, whether that's in the cloud or off-site, or if it's a second site,” Stewart says.
In addition to having quality system backups in place, Stewart recommends regular testing to ensure those systems are secure, working, and up to date.
3. Harden Your Network's Defenses
“Strengthen passwords, make sure that you have a good firewall in place,” Stewart says. Moving to two-factor authentication for all with access to the network is another way to provide extra protection, and something Lufkin ISD had not done prior to becoming a ransomware attack victim.
Staff members might push back against some of these changes, but the educators in Stewart’s district learned the hard way why such precautions are necessary. “You let people go with no internet for two months, and they'll do just about anything you tell them to do after that,” he says.
4. Be Aware of What’s Stored on Your Network
Prior to the ransomware attack some departments at Lufkin ISD had been storing data digitally without proper encryption. “Accounting had stuff that shouldn't have been on their desktop,” Stewart says. “HR was keeping people's information that had social security numbers and stuff in it.”
Stewart advises having conversations with department heads about the types of information that is being stored and then figuring out how to keep that information safe. Doing this before a ransomware attack can ultimately save time and money. “We ended up having to give a credit monitoring service to every employee in our district due to the fact that someone had left those files on there,” he says.
5. Have a Hardcopy of a Ransomware Response Plan
“You need to have a disaster recovery plan for anything--it could be for fire, flood, hurricane, and a ransomware attack,” Stewart says. The recovery plan for a ransomware attack should include contacts at your insurance company, the name of a cybersecurity lawyer who is picked out in advance, and a plan to notify the appropriate law enforcement agencies. This document should make clear the district’s priorities and who should be called first, Stewart says.
It’s also vital for ransomware preparation that you go old school and print this plan. “It needs to be paper,” Stewart says. “It's stupid to have a digital one because you're not gonna be able to get to it.”