by Alexander Huls, EdTech Magazine
Sateesh Narahari of ManagedMethods shares why districts must protect their cloud-based software from cybercriminals who are using a new type of ransomware attack.
The pervasive threat of ransomware has taken on a new dimension in the past two years. Now, districts have to worry about ransomcloud attacks, in which hackers try to breach cloud service providers such as G Suite and Office 365, encrypt data and emails, then demand a ransom.
Ransomcloud has quickly become a significant threat, especially to K–12 institutions. The shift to remote learning led more schools to move to the cloud, with many opting for multicloud environments, which have introduced legions of vulnerable new endpoints for hackers to exploit.
Last year, K–12 experienced 408 cyberattacks across 377 districts. When any ransomware attack succeeds, it can be devastating. For example, Judson ISD in Texas fell victim to an attack that interrupted communications, and Baltimore County Public Schools had to spend more than $8 million recovering from a similar attack.
To better understand what school districts can do to protect themselves, we spoke with Sateesh Narahari, chief product officer at ManagedMethods, a company specializing in identifying security risks in K–12 Google Workspace and Microsoft 365 accounts.
EDTECH: How exactly does a ransomcloud attack occur in a K–12 institution?
NARAHARI: The attacks occur when victims install an app or give an app permission to access the cloud environment. The app might ask, “Can I read your email and access files on your behalf?”
Then a pop-up appears that asks “Will you grant these permissions to this app?” and the user clicks “yes” — it’s game over at that point. You’ve given away the keys to your email, and hackers will start encrypting.
Typical attack vectors are email-based. Hackers might start with a spear phishing attack targeting a school administrator, superintendent or a principal and get them to click on “authorize an app.” Once in there, they start spreading, because if someone gets a legitimate looking email from the principal, they’ll most likely click on the link. This is why school districts have to carefully review what apps are being installed and what permissions are being granted.
EDTECH: Why is K–12 being targeted by cybercriminals in these attacks?
NARAHARI: For a couple of reasons. First, K–12 was one of the earlier adopters of cloud-based email systems. Second, K–12 is understaffed and underresourced — the IT person who is trying to protect the environment is also the person who is handling 500 Chromebooks when school starts.
Third, K–12 is a high-yield target. If a school district is impacted, the community is impacted, and school administration will want to resolve the problem quickly. Hackers know they can get results. They want to attack a school district, get paid and move on to the next target.
EDTECH: How can schools be proactive about preventing ransomcloud attacks?
NARAHARI: Every school should have security awareness and an education program. Attacks predominantly get through on the staff side — teachers and school administrators. Educate these users on how to recognize phishing emails. You might do something like a phishing simulation. There are also vendors who look at what is going on in a school environment, what apps are being installed and what permissions are being granted. And every organization should be setting up multifactor authentication.
Awareness is increasing, which is good. The bad news is that the attacks are also increasing. It’s a numbers game. At the end of the day, the good guys have to be right 100 percent of the time. The bad guy has to be right just one time. If they get in, they get in. The numbers are stacked against the good guys. So, we do everything we need to do, but it takes just one user to make a mistake, and then the ransomware comes in.
EDTECH: What should a district do if it falls victim to a ransomcloud attack?
NARAHARI: District leaders should not be shy about asking for help. There are resources available that they should tap into, and they should immediately contact local law enforcement, who can put them in touch with the FBI or DHS. Both agencies have experts who deal with this day in and day out.
The next thing to do is to isolate the impact. If one account is known to be a victim, perhaps deactivate that account temporarily. Shut down any affected servers, instances or environments. Take them offline so it doesn’t spread. Then, notify the stakeholders and work out a communication plan with the users.