Last week, on the Tuesday before Thanksgiving, state auditors released a report detailing “significant risks” within the Baltimore Country School District’s computer network. The next day, the school district was hit with a ransomware attack that shut the school down until Wednesday of this week. Because of the increase in COVID-19 cases, the district had just shifted online. However, the ransomware attack put a stop to remote learning and gave over 115,000 students an extra week off school.
The state auditor’s report, released just the day before the attack, details the findings of an investigation into the security of the district’s computer systems that was conducted between May 2019 and February 2020. One of the major findings of the report showed that 26 publicly-accessible severs were located within the districts internal network, rather than segregated in external networks. This increases the risk of a user accessing the district’s internal systems via the public servers. In addition, the report that the district did not have adequate protections in place to secure personally identifiable information, there was no detection system in place to catch unwanted traffic, and students even had “unnecessary network-level access to administrative servers.”
The district has said it is too early to tell whether the attack was related to the vulnerabilities found in the auditor’s report. However, it is certainly possible the lack of network segmentation could have possibly made it easier for the ransomware to spread across systems and devices. The district has also not said whether any personally identifiable information was compromised in the attack.
Despite the district’s tight lips surrounding the specifics of the attack, they did ask all students and staff to perform a “confidence check” on school-issues devices, which potentially sheds light on some of the details. Specially, the district is asking students and staff to look for .ryk file extensions on their devices. This file extension likely points to an increasing common form of ransomware called Ryuk. Ryuk is a form of ransomware that encrypts data within the network. This may be a relief to school officials, given the recent trend in ransomware where attackers actually steal and leak sensitive data rather than just encrypt it within the network.. However, Ryuk is also infamous for its ability to quickly spread across devices connected to the network, including back-ups. This makes the state auditor’s findings potentially highly relevant to the scope and impact this attack has caused so far.
The Baltimore School District’s ransomware attack is unfortunately not entirely surprising. In the past few years, attackers have started targeting public agencies and schools. Because public entities often don’t have the budget or personnel for sophisticated cybersecurity defense and their services are essential for many people, attackers see these as juicy targets for ransomware attacks.
This doesn’t mean, however, that public agencies need to be sitting ducks. If the district had intrusion detection system in place, for instance, it’s possible they could’ve caught attack before it even started. The fact that students also had access to certain administrative servers is also a big problem, and could be easily fixed with simple access control measures put in place. Lastly, while you can’t always prevent these attacks from happening, segregating networks and devices can go a long way towards limiting the impact of ransomware. This will not only help prevent the spread of the attack throughout the network, but, if back-ups are routinely tested and stored offline, could allow organization’s to easily restore their systems to a pre-attack state without paying a ransom. The attack against the Baltimore School district is a stark example of the importance of creating not just a cyber-secure, but also a cyber-resilient online environment.