Two Essential Defenses that Baltimore County School District (and All Districts) Should Adopt to Keep the Next Ransomware Attack…

Families throughout the US and the world are grappling with the challenges of remote learning, but students, parents and school officials in Baltimore County were faced with a serious new issue, just before the Thanksgiving break: School networks supporting online learning were hit with a ransomware attack that took them offline, and left students without a distance learning platform for the foreseeable future.  According to an article in the Baltimore Sun, the District Superintendent did not yet have a timeline for when the district would be back online, and school would not resume until the problem was resolved.

Ryuk ransomware is the most likely suspect in the attack. A recent FBI alert focused on Ryuk attacks targeting healthcare organizations, but given the news from Baltimore, it’s clear that all verticals should be on guard. Identifying Ryuk’s infection vector is difficult since the ransomware typically deletes all evidence of its access methods. However, previous Ryuk incidents indicate that delivery methods can vary and include being introduced by web and phishing-based malware such as Emotet or Trickbot, or directly through vulnerabilities in an organization’s network. Unfortunately, Ryuk is highly effective at bypassing anti-virus products, maintaining persistence on targeted machines, and exhibiting stealthy behavior, such as running as a “legitimate process” by injecting itself into Windows processes.

Of course, IT teams in Baltimore County are currently fully focused on getting school district networks up and running so students can resume learning. Once that’s been accomplished – or even before, given the risks and costs involved – Baltimore County School District and school districts nationwide, should explore and adopt two essential defenses.

Remote Browser Isolation Improves Defenses at Ransomware Entry Points – via the Web and Email

The data is clear: Ransomware primarily penetrates networks via an endpoint that’s compromised through an interaction with the outside world – typically an infected website, a download from the web, or an email link or attachment. Despite security training and knowing better, at some point a staff member or student will click on some link that they shouldn’t. And that one click will unlock malware that’s sufficient to bring the school’s network – or the entire district’s — to its knees. Given the stakes, and how very sophisticated today’s malware is, it’s foolhardy to rely only on signature-based scanning techniques. While they’re designed to spot ransomware in web, email, and document content, these techniques can’t keep up with malware that evolves faster than their signature databases can be updated.

That’s why moving to an isolation-based approach is essential for school systems and public sector organizations that need to secure endpoints and networks. Remote Browser Isolation (RBI) effectively “air-gaps” devices from web-based threats like ransomware. RBI executes web content in remote, isolated cloud-based containers, away from endpoints. If a user browses to a malicious site or clicks a link in a phishing email, no damage is done since web content never executes directly on their device. Yet users experience safe, fully interactive, seamless internet use via rendering information that is streamed from the cloud-based container to the user device browser.

For additional phishing protection, websites launched from links in emails can be rendered in read-only mode to prevent users from entering credentials on phishing sites. Attached files can be sanitized before being transmitted to endpoints, ensuring that malware within downloads cannot compromise user devices.

Remote Browsing Isolation is designed to stop 100% of web-based malware targeting endpoints and networks – even Ryuk ransomware.

Limit Ransomware Spread by Cloaking Network Apps and Data

Consider a scenario that has played out countless times in recent months: A staff member or teacher who has been working remotely comes to a school building to take care of something on site. They bring their personal device, or perhaps a school-issued laptop that’s been connected to their home network and which they occasionally use for personal browsing as well as for work.  Some stealthy malware – maybe ransomware – has made it onto the device, where it is lurking, undetected. Now, when the employee connects to the local school network, the ransomware enters the network and begins to move laterally in search of bigger fish – the school’s apps, databases, servers and other resources. 

What if, when the user connected to the network, the ransomware could not “see” anything there?  It could not encrypt data or disrupt systems, since it could not even “know” that the apps, databases, and other resources were there. This capability, application isolation, mitigates damage that ransomware can cause by making apps and data invisible to any unauthenticated program or device that tries to discover and access network-connected resources.

By microsegmenting access to resources through this technique, the impacts of ransomware can be dramatically reduced, regardless of how it is introduced — within the office from a compromised device, or remotely through a crack in the network’s armor, such as a VPN vulnerability.

Keeping Education on Track

The COVID-19 pandemic has generated a huge set of challenges for school districts, which must chart a course that balances the educational and health concerns of the populations they serve. District IT and security teams are working hard, day in and day out, to enable our children to stay on track with their education despite the challenges posed by pandemic restrictions. We hope that adopting our recommendations will ease the burden on these essential workers and help keep school district networks and resources – as well as the students! – healthy and infection-free.

While (fingers-crossed!) 2021 will bring a return to in-person learning, some remote and distance learning is likely to continue, accompanied by heightened levels of associated cyber-risk. Defensive techniques like browser and application isolation will allow educational organizations to meet the security challenges they face today and into the future, and free them to focus on their critical mission of educating our children.