Ransomware is a devastating type of cyber threat—use this checklist to keep your district safe
A recent CoSN EdTech Survey reported that nearly 100% of K-12 schools in the United States are either currently using cloud computing or are planning to migrate to the cloud within the next 12 months. In your district, you’re likely using either Google Workspace, Microsoft 365, or both. And, yes, both Google Workspace and Microsoft 365 are cloud-based SaaS applications.
Layered on those apps, there are likely a variety of other cloud applications used by students, teachers, and administrative staff. In fact, there is a good chance that there are dozens of cloud apps connected to your district’s Google and/or Microsoft 365 environment that you have no idea are there. Nor do you know what access permissions have been granted to those apps or what they are used for. It’s a relatively new and easy way for hackers to break in.
Cybercriminals are incentivized to pivot to attacking cloud-based systems and data merely because so many schools, businesses, and other organizations are moving to the cloud. Simply put, they’re going to go where the data—and the money—is.
At the same time, many K-12 IT teams focus their cybersecurity budgets on establishing strong perimeter defenses and assume all activities within the perimeter are safe. But, with nearly 100% of schools creating, storing, accessing, and sharing data in Google Workspace and/or Microsoft 365, all that data exists outside of the “protected” perimeter.
This means that schools effectively have a giant blind spot right where a vast majority of their data is located. And the criminals know it. They have become more sophisticated—attacking from every angle possible, rather than just relying on brute force. They are using “trusted” activity in the cloud against you to launch devastating ransomware, phishing, and fraud attacks on vulnerable school districts.
Ransomware in the cloud is a growing problem for school districts, which is why we created a ransomware checklist for you!
6 Step School Ransomware Checklist
There are many ways to protect yourself from ransomware attacks. For example, the participants in our recent panel discussion identified some excellent school ransomware protection tips. They talked about the importance of maintaining 24/7 K-12 cybersecurity monitoring and detection, establishing a written data use policy, managing 3rd party vendors, and implementing an automated response system.
This checklist will help you protect yourself from ransomware attacks by identifying specific actions you need to take on a regular basis.
1. Find and Delete Phishing Emails
Cybercriminals use phishing emails to trick someone in your district to click on a link or download a file. Once that happens, they can gain access to your systems from the inside. The high (and continually increasing) cost of phishing makes controlling this a high priority for school districts.
The days of easy-to-identify phishing emails are over. Hackers have become far more sophisticated and use tactics like creating an email that looks like it comes from a trusted source, such as a bank, that looks very official.
Google provides an Investigation Tool that is available for Google Workspace Education Standard and Plus. The tool helps you to find everyone who has received a phishing email and delete it from their Gmail inboxes.
Microsoft also offers the Defender tool for Microsoft 365. Once you have identified a malicious email, the tool offers manual or automated selection of those emails. Automated investigation and response is also available. Once a set of phishing emails have been identified, you can take action to remove them from the system.
ManagedMethods can identify phishing emails for you 24/7, and offers a number of easy-to-use remediation and automation alternatives. Watch this short video to see how easy it is.
2. Identify and Remove Active Malware
Malware is any code or software that could allow a hacker to access your system. It could be a virus, worm, trojan horse or spyware. In the case of ransomware, it would be any malware that would allow a hacker to access your system and encrypt your data, so that users cannot access it until a ransom is paid. Increasingly, ransomware attackers are also exfiltrating the data before they encrypt it. This gives them more leverage when negotiating the ransom. It also ensures that they can still get paid, even if their victim refuses to pay the ransom, by selling the data on the dark web.
Google offers an initial review of emails in the Gmail app. Gmail will display a warning and move the email to the spam folder. You can also use Advanced Security Settings to initiate an automatic review of attachments, links, and external images. Gmail will also check for a spoofed domain name, employee name, and an email pretending to be sent from your domain.
Microsoft helps you control anti-malware policies using the Defender tool by going to the Anti-malware page, then connecting to the Exchange Online PowerShell. You can add, modify, and delete anti-malware policies.
ManagedMethods makes monitoring for malware throughout your Google Workspace and/or Microsoft 365 systems easy. Watch this short video to see how easy managing malware can be.
3. Detect and Remediate Suspicious Login Activity
Suspicious login activity is often a sign that a hacker is testing out their ransomware attack plan. Suspicious activity might include login attempts from other countries outside your own, multiple logins from a user that doesn’t log in that often, or even one login from the US and another for the same user from China an hour apart. This suspicious activity signals that there is an account takeover risk to your environment. It can also be the prelude to a ransomware attack.
Google offers advice for investigating an account after you’ve identified suspicious behavior. You have access to a login audit log, email log search, OAuth Token audit log and more. You can revoke access to the affected account.
Microsoft provides a checklist to follow once a user has noticed and reported unusual activity in their mailboxes. Investigative tools include Unified, Admin, and Azure AD Sign-in logs.
ManagedMethods provides a complete system to filter logs based on suspicious activity to find issues before they become big problems. Watch this short video to see this time-saving approach.
4. Detect and Delete Lateral Phishing Emails
Lateral phishing emails are a very devastating type of phishing email because they come from a trusted internal source. A hacker will take over the account of someone in your domain and the phishing emails they send look authentic because they are in fact being sent from an approved user’s account.
Once an account is successfully compromised, cybercriminals are increasingly using lateral phishing to send more phishing emails and take over more and/or higher-level accounts. It makes it extremely easy to ask the recipient to click on a link or provide sensitive information. Lateral phishing emails can’t be spotted by conventional email protection systems.
According to the Usenix report, Detecting and Characterizing Lateral Phishing at Scale, lateral phishing emails are being used against a wide range of organizations and those organizations have suffered financial harm in the billions of dollars.
Google advises that users take advantage of the same tools used to find and delete malicious emails once you become aware of a suspicious email that has been received by multiple users.
Microsoft offers an approach to search for and delete email messages. After you connect to the Security & Compliance Center PowerShell, you can search for a specific malicious email using either a date range and subject line, or a sender email and subject line. Once the emails are identified, the New-ComplianceSearchAction cmdlet is used to delete the message.
ManagedMethods provides tools that help your team identify and control lateral phishing emails specifically. Watch this short video to see how we make thwarting lateral phishing attacks easy.
5. Detect and Control Third-Party Apps
Cybercriminals are increasingly using third-party apps to execute ransomware attacks, largely through OAuth credentials. Unfortunately, third-party apps ransomware threats are often overlooked by district IT teams.
Using approved third-party apps means that attackers don’t have to defeat your district defenses. It also means that they can attack a broader range of districts and organizations that might be using that app. Once the third-party app has allowed the hacker access, they can mount a ransomware attack just as easily as if they had gone directly into your cloud.
Google lets you control which third-party apps have access to sensitive information.
Microsoft provides tools that let you turn user consent for third-party apps on and off. This will force users to get permission from the IT team to use a third-party app. You can also block all third-partner API access.
ManagedMethods makes it easy to see what apps have been given access to your domain, what their permissions and risk levels are, and more. You can also easily sanction or unsanction apps, and create automated rules around what apps should automatically be removed from your domain. Watch this short video to see how easily you can control 3rd party apps in your Google and/or Microsoft 365 accounts.
6. Automate Remediation
Ransomware attacks can happen in the blink of an eye, but they don’t happen without warning. Automation tools can help you detect the ransomware early warning signs and take action to remediate the threat without human intervention.
Google provides tools to set up rules in the Admin console to trigger alerts or actions, and use the security investigation tool to automate actions.
Microsoft provides present security policies that aren’t configurable and the tools you need to set them up.
ManagedMethods provides tools to manage both turn-key and customizable automation policies. Watch this short video to see how easily you can trigger automated responses.
Your Complimentary Copy of the Ransomware Checklist
The threat from K-12 ransomware attacks is very real, and the attacks are increasing in severity. We created this ransomware checklist to help you protect your district before you become another statistic.
Feel free to download the Ransomware Protection Checklist and use it to help your district win the fight against ransomware criminals.