Posted by Trevagh Stankard on Tue, May 11th, 2021
The pandemic changed the way the world worked and learned. Teachers had the unique experience of changing the way they worked and taught their students. They offered online teaching, which meant that students communicated mostly in VoIP (Voice over IP) applications and using email messages. Threat actors picked up on the communication change in education and used phishing attacks designed to look like students handing in work. The emails had malicious attachments with macros that would download ransomware and encrypt teacher files, leaving them with choices to pay the ransom, restore from backup, or permanently lose their critical files.
Educators Victims of New Ransomware Campaigns
As everyone acclimated to lockdown changes, educators set up online communication and websites so that students can ask questions and turn in assignments. The latest phishing campaign emulated communications between students and teachers. The email message claimed to be the parent of a student, and the email message had an attachment file containing a malicious macro.
The message told the teacher that previous messages failed to deliver the student assignment. Researchers think that attackers harvested targeted teach email addresses using faculty contact lists located on the school website. Because these pages include the teacher’s name, the attacker could then address the email with the teacher’s name, making the message look like it was legitimate. After the teacher opened the attached file, the macro downloaded the ransomware executable files.
One aspect of this attack was that malicious executables sent an SMS message to the attacker alerting them to a new victim. Another unique aspect of this ransomware strain was that it was written in the Go programming language unlike many other strains in the wild. Files encrypted by the ransomware are listed in a text file named “About_Your_Files.txt” and stored on the user’s desktop.
The ransomware targeted individuals and not businesses. Enterprise-level attacks ask for tens of thousands of dollars forcing the business to pay the ransom or lose access to critical data. Ransomware targeting teachers asks for $80 in bitcoin, making it affordable so that individuals can pay the ransom instead of recovering from backups. Enterprise-level ransomware authors ask for larger amounts knowing that businesses have more available funds.
Ransomware Delays Classes Across the US
Because schools don’t often have the necessary resources to stop sophisticated attacks, they are primary targets for ransomware. Throughout 2020, ransomware delayed class sessions across several schools in the US. For example, ransomware delayed a Hartford, Connecticut school on its first day of class. The ransomware in this attack targeted 200 city servers blocking the school from obtain rosters and student information.
In September 2020, a ransomware attack hit the Clark Count School District in Las Vegas, Nevada. School officials refused to pay the ransom, and in return attackers publicly posted social security numbers, student grades and other private data collected by their malware. This incident describes many scenarios when victims refuse to pay the ransom. In many cases, attackers blackmail the targeted victim with exposure of private data, which can be just as damaging or even more damaging than losing the data itself.
How Schools Can Defend Against Ransomware
Aside from cybersecurity controls that stop traditional malware, ransomware requires education, email filters, and backups. Backups are a primary reactive defense against ransomware. Should malware encrypt files, the backups make it possible for schools and other organizations to restore data without paying the ransom. Backups should be stored off-site so that ransomware cannot access it. Cloud backups are primarily used in disaster recovery strategies required after a ransomware attack.
Email filters are another cybersecurity strategy. Being proactive, an educational organization can stop ransomware attachments before they reach targeted user inboxes. With email filters, the system detects malicious messages and attachments and sends them to a quarantine. The quarantine is a safe storage location where administrators can review email content and determine if it’s a false positive. If it’s a false positive, administrators forward it to the recipient’s inbox. Messages containing malware can be deleted or reviewed further.
User education is a third option. Since teachers communicate often with students online, educating them on the dangers of malware and phishing empower them to identify these messages. Educators are recent targets, and their own devices are at risk provided they continue teaching from their homes. By providing the education and cybersecurity training necessary to identify phishing, educators will be less likely to be the next victims. They should also know that opening attachments should be done with caution, and macros should never be enabled.
Technology & Education
Most schools have adopted digital to communicate and collaborate with students, devices such as Chromebooks and iPads are commonplace. Productivity and collaboration among faculty, students, and parents has increased as a result.
This digital transformation of the education sector presents challenges in securing communications and protecting students from falling victim to online attacks. Universities and Schools need to be able to quickly and easily protect their students and staff from online threats.
WebTitan on-the go (OTG) for Chromebooks is now available, to protect all of your Chromebook users against threats on the internet. Designed for the education sector, it is a fast, affordable security filtering solution for Chromebooks that supports CIPA compliance. Organizations using the WebTitan Chromebook client can now easily apply policies for all of their Chromebook users by group. Learn more about WebTitan OTG for Chromebooks.
Take our Security Training Awareness Quiz