Ransomware attacks don’t just happen without warning. Detect and act on the early warning signs to stay ahead of the hackers
We all know that ransomware attacks are taking a tremendous toll on K-12 districts all across the country. Districts are closing schoolrooms, suspending remote learning, and paying out funds they don’t have to pay ransoms and/or pay experts to help them recover from an attack. Not to mention the internal resources required to respond and recover from an attack, which otherwise would have been working on other tech priorities.
That’s the bad news. The good news is that when you understand how cybercriminals mount a ransomware attack, you can look for warning signs that indicate you may be someone’s next victim.
Cybercriminals are careful when it comes to their work. They don’t typically find a vulnerability in your system and just dive in to start encrypting files. They usually start by searching your systems for a vulnerability, and then they’ll try different tactics to learn how to best exploit it.
Hackers will spend weeks or months testing your system. Once the full-blown attack has been unleashed, it’s difficult to detect and contain it fast enough. So, monitoring for ransomware early warning signs is critical.
No cybersecurity solution is 100% guaranteed to thwart any type of attack. You need to address issues such as zero trust security, multi-layered cybersecurity, visibility, and control. You also need to be able to respond quickly to these ransomware early warning signs because you never know when the real attack will take place.
Ransomware and the Cloud
Many school leaders think that app providers like Google and Microsoft are protecting them from attacks, but that’s not the case. It’s just one of the many cybersecurity myths that are making schools more vulnerable.
Once a hacker is able to penetrate your perimeter defenses, network protection doesn’t prevent them from reaching data and controls in cloud apps like Google Workspace, Microsoft 365, and a variety of EdTech apps. These vendors’ shared responsibility model license only requires that they protect you from an interruption in service due to the failure of their systems or software. It’s your responsibility to protect yourself against cybercriminals.
Google cloud ransomware, for example, is growing in popularity with ransomware gangs. This is largely to do with the sheer amount of data that is now stored in the cloud, compared to on-prem servers. The lack of understanding and cloud security controls in Google apps, including Gmail, Drive, and Shared Drives, is also contributing to this growing threat trend.
There are a range of things you can do to reduce your vulnerability to school ransomware attacks, which include creating a business continuity plan, patching your software on a timely basis, using multi-factor authentication wherever possible, updating your password policies, and conducting regular cybersecurity training and education.
Another vulnerability to address is third-party apps ransomware threats. Most tech directors think about the issue in terms of student data privacy and 3rd party apps. But OAuth risks and other potential vendor vulnerabilities can expose your district’s data to a ransomware attack.
It’s sometimes easier for a hacker to access a third-party app than it is for them to penetrate your defenses. But, once they access the third-party apps that run on or interface with your systems, it’s just a short hop to accessing your systems.
9 Ransomware Early Warning Signs
Cybercriminals typically test your systems in various ways before they launch a full-blown ransomware attack. Here are key things you need to look for and respond to quickly.
1. Spam and Phishing Emails
It seems that no matter how much information is published about the dangers of spam emails, there are always people who can be fooled into clicking on a malicious link in an email. A phishing email may look like it’s coming from a trusted source such as a bank, credit card company, or an online service like PayPal.
2. Lateral Phishing Emails
A lateral phishing email comes from inside your district’s domain. It indicates that a hacker has launched a successful account takeover and they’re attempting to gain access to more accounts and data.
For example, a hacker might send an email from a teacher account to a payroll specialist asking them to click a link or download a file. If they are able to get the payroll specialist to do it, they can gain access to far more sensitive information than a teacher’s account is typically privy to.
3. Repeated Suspicious Login Activities
A few occasional failed logins happen often when someone forgets their password, for instance.
But, if you see a spike in the number of failed logins, especially if they’re from different accounts, it’s likely that someone is trying to break into your system.
The other thing to look for is suspicious successful logins. Examples of suspicious logins would be someone logging in from an unusual location and/or IP address. Or someone logging in from the US and then from China within a couple of hours of each other, which would be physically impossible.
4. Illegitimate Network Scanners
Someone on your team may use a network scanner like AngryIP or Advanced Port Scanner for a legitimate purpose. But, make sure you know who is running the scanner.
A hacker who gains access to one machine will often try to determine what else they can access on your network using a network scanner.
A network scanner you can’t account for could well be a hacker preparing for a ransomware attack.
5. Signs of Test Attacks
Before a ransomware attack, hackers will look for vulnerabilities and then test their find by launching a small-scale attack on a couple of machines to see how you respond and how quickly (if at all).
This approach gives them a chance to see how easily they can get past your defenses and how they should modify their full-blown attack. These small-scale attacks often look like they’re one-off or unrelated, but they’re often part of a bigger plan that could be weeks or months down the road.
6. The Presence of Known Hacker Tools
MimiKatz and Microsoft Process Explorer are two tools commonly used by hackers when they want to steal credentials. They also use applications like GMER, PC Hunter, Process Hacker, and IOBit Uninstaller to disable security.
Any sign of these tools on your systems should trigger an immediate investigation.
7. Attempts to Disable Active Directory and Domain Controllers
Another area where hackers are focusing is the Active Directory. Attacks are less automated as attackers mount sophisticated campaigns with careful pre-planning.
In one incident reported by the security publication Dark Reading, hackers used the Remote Desktop Protocol to break into AD servers. They then added the ransomware tool Ryuk into the AD logon script. As a result, everyone who logged into that AD server was automatically infected.
8. Attempts to Corrupt Backups or Disable Security Software
In many cases, cybercriminals encrypt live data and ask for money in order for the district to regain access.
Some are starting to look for ways to corrupt backups or disable security software. A corrupted backup makes it impossible for the district to restore its data while disabling security software gives the hackers full access.
9. Encryption of a Small Number of Devices
Cybercriminals know that the slower they work their way through your systems, the more difficult it will be to find them. However, they can move fast when it’s in their favor.
Right before they launch a full attack, they will often encrypt just a few devices to test how their plan is working. This is a clear signal that a scaled-up ransomware attack is imminent.
Ransomware attacks are undoubtedly the biggest K-12 cybersecurity headache for IT teams. The repercussions can be extensive. But those attacks don’t just happen all of a sudden. Set up processes and tools to monitor for these ransomware early warning signs, and take action when a red flag is triggered. Your ability to detect and remediate early attempts and smaller attacks will help make your district a less attractive target.