Fraud Management & Cybercrime , Ransomware
The Ransomware Files, Episode 7: Ryuk's RampageA School District Infected With Ryuk Kept Classes Running and Recovered
If there are two industry verticals in which launching a ransomware attack isn't even close to a fair fight, they're schools and hospitals.
Schools deliver education. Hospitals deliver medical care. Both are essential services that - especially after the last two years of the COVID-19 pandemic - do not need any more interruption.
A type of ransomware called Ryuk, which was created by a Russian cybercriminal group, was responsible for much of the disruption in those verticals over a period stretching more than two years.
One of its victims was Rockford Public Schools in Rockford, Illinois, just days after the school year started in September 2019. Ryuk encrypted upwards of 6 million files, wrecked applications and locked up servers. But the district kept the doors open while mounting a mighty recovery effort.
Jason Barthel is chief information officer for the school district. He'd just finished watching the Chicago Bears football team lose their first game of the season when he began to get text alerts that the district's servers were going offline.
Upwards of 300 servers were encrypted. Several weeks of its backups were also encrypted. Some 5,000 Windows machines were infected, all of which needed to be re-imaged. The phones and email did not work.
"We took a step back in time is the way I say it," Barthel says. "We went back to pen and paper."
While Ryuk managed to delete some backups, others were intact. A vendor helped restore the application used for its financial system, and the data for that system was backed up. One copy of its Active Directory also escaped encryption, which served as a foundation for recovering that system.
The district was also very upfront about its attack, even doing a podcast episode about it just two months later. The district refused to pay the ransom.
"We were like, 'Screw them,'" says Earl Dotson Jr., Rockford Public Schools' chief communications officer. "We're not giving them nothing. Like, you know, we were defiant. We were like, 'How dare you do this to children?'"
Barthel says three years on from the attack, the district is now in a far better position than when he arrived in 2018. It strengthened security controls in its Office 365 environment. Multifactor authentication was implemented. An effective cybersecurity awareness and anti-phishing program has dropped click-through rates on phishing emails from a very high 43% to well below 10%.
"I think you always come out better from these things than what you went into," Barthel says. "We found a silver lining in this particular event. You'll be OK. It's not always fun. But I think we are battle-hardened now."
"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I'm speaking with those who have navigated their way through a ransomware incident to learn how they fought back and what tips they can pass on to others. No ransomware infection is ever welcomed. But there's invaluable knowledge gained. There should be no shame in getting infected, and it's important to share the lessons.
If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.
If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at firstname.lastname@example.org or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.
Speakers: Jason E. Barthel, Chief Information Officer, Rockford Public Schools; Earl Dotson Jr., Chief Communications Officer, Rockford Public Schools; Cathy Bayer, Senior Communications Manager, Rockford Public Schools; Doug Levin, National Director, K12 Security Information Exchange; Errol Weiss, Chief Security Officer, Health Information Sharing and Analysis Center; Jeremy Kirk, Executive Editor, Information Security Media Group.
Production Coordinator: Rashmi Ramesh.
The Ransomware Files theme song by Chris Gilbert/© Ordinary Weirdos Music.
Music by Podcastmusic.com.
- Allan Liska, Ransomware: Understand. Prevent. Recover, Oct. 28, 2021;
- CISA, Alert: Conti Ransomware, Sept. 21, 2021;
- CISA, Alert: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data, Dec. 10, 2020;
- Data Breach Today, Improving Cybersecurity Defenses for Schools, Feb. 11, 2022;
- Infosec, ZLoader: What it is, how it works and how to prevent it | Malware spotlight, Aug. 19, 2020;
- K12 SIX, State of K-12 Cybersecurity: Year in Review, March 10, 2021;
- Krebs on Security, Conti’s Ransomware Toll on the Healthcare Industry, April 18, 2022;
- Microsoft, Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware, April 13, 2022;
- NBC News, Hackers are leaking children’s data - and there’s little parents can do, Sept. 10, 2021;
- Rockford Public Schools, 205 VIBE, Sept. 2018-May 3, 2022;
- Rockford Register Star, School internet, email, phones disabled by ransomware, Sept. 9, 2019;
- The Journal, K–12 Cybersecurity Act Signed into Law, Oct. 8, 2021;
- Trend Micro, A Brief History of Notable Online Banking Trojans, Aug. 31, 2015;
- York Daily Record, 'Cyber snow days:' Why few school districts statewide opted in for the program, Jan. 6, 2020;
(Sound of children playing)
Jeremy Kirk: There is a special map of the United States, and all over it are purple, blue, green, red and yellow pins. It looks like America has this peculiar case of hives. The map is called the K-12 Cyber Incident Map and it tracks things like hacking and data breaches affecting schools. It is maintained by the K12 Security Information Exchange, or K12 SIX. It's an organization launched in 2020 that helps improve schools' cybersecurity.
The number of pins on the map are continually increasing. A purple pin is a breach involving personal data. A blue pin marks a successful phishing attack. Green pins are denial-of-service attacks. Red pins are a kind of catch all for other cyber incidents. And lastly, the yellow pins. Those are ransomware attacks. K12 SIX adds to the map based on public reports of incidents. But what's on the map is just what's surfaced publicly, and it is by far an underestimate. It's maintained by Doug Levin, who is K12 SIX's co-founder and national director.
Doug Levin: I'm mostly tracking English speaking media, but I've certainly seen incidents happening pretty regularly in the U.K. and Canada. I occasionally pick up stories in Australia and India. But there's no reason for me to believe this isn't happening across Europe and South America, in Africa as well.
Kirk: If there are two industry verticals where launching a ransomware attack isn't even close to a fair fight, it's those against schools and hospitals. Schools deliver education. Hospitals deliver medical care. Both are essential services that - especially after the last two years of the Covid-19 pandemic - do not need any more interruption. And it's not just that ransomware gangs encrypt a school's data. At times, they've also stolen personal data of students and as a school district is feeling the pinch, they've released that personal data. According to security firm Emsisoft, ransomware gangs have published data from more than 1,200 K through 12 U.S. schools.
One of those yellow pins on the map represents Rockford Public School District 205 in Rockford, Illinois. It's a city of 150,000 people northwest of Chicago. It was once known as the fastener capital of the world due to is prodigious production of screws and bolts. The school district encompasses more than 40 schools and 27,000 students. In September 2019, it was infected with ransomware. Jason Barthel is chief information officer for the school district.
Jason Barthel: The very first discussion we had was whether we could have school the next day. We didn't know whether or not that was going to be feasible, especially because many of our systems, including our transportation system and our bus routing systems, were impacted.
Kirk:What happened to the Rockford School District is emblematic of what school districts face fighting off ransomware gangs. And there's even a new concept: the Cyber Snow Day, where a cyber incident means school is cancelled. Snow days are generally rare events reserved for bad winter weather. Even for companies with large security teams, it is difficult to seal off every vector of attack. For school districts, the challenges and obstacles are numerous. The ratio of IT staff to number of devices and systems is huge compared to other industries, and IT staff count security as one of their jobs, not their only job.
This is The Ransomware Files. I'm Jeremy Kirk.
In this podcast mini-series, I'm speaking with those who have navigated their way through a ransomware incident and learn how they fought back and what tips they can pass onto others. No ransomware infection is ever welcomed. But there's invaluable knowledge gained. There should be no shame in getting infected. But it's important to share the lessons.
Jason Barthel is a native Illinoian. He grew up not far from where he now works, just west of Rockford in a rural area near Baileyville, Illinois. His mother raised him as well as four of his brothers in a house on the grounds of a produce farm called Ivan's Farm. The farm grew just about everything - corn, potatoes, melons, strawberries, tomatoes and more. They'd load up the produce and take it to a stand where people would stop by and pick up whatever was in season.
Barthel: I was kind of a lower income kid growing up. I was working 40 hours a week before many kids my age were out of elementary school.
Kirk: He enlisted in the U.S. Army. When you serve in the Army, you get what is called an MOS, or military occupational specialty, which is a long way of saying a job. His MOS was 25 Uniform, which in U.S. Army speak is signal support system specialist. He served in Iraq, but his trajectory shifted after what happened on May 19, 2006. On that day, Jason humbly describes it as "getting a bit banged up as was driving a Humvee". IT was a traumatic brain injury or TBI.
Barthel: We were a three-Humvee convoy driving through an Iraqi police checkpoint. I was the third of three vehicles that had 155 artillery shells daisy chained. That blew up the door of the vehicle I was driving, rendering me unconscious. I don't remember anything, but I do have all the pictures. So I had a little bit of TBI, but my fingers and toes were all intact - the lord was good to me - and I'm still highly functional. But that incident changed my outlook on what I wanted to do. At the time, my wife was eight months pregnant with our second child. So it was pretty stressful for her once I was coherent enough.
Kirk: Amazingly, even after that, he went back to Iraq and finished his tour. As they say in the U.S. Army - Hooah. So 'hooah' requires some explanation. One U.S. general describes the meaning of the word 'hooah' as representing sheer determination and perseverance. People in the U.S. Army say it all the time. It can be an affirmation, a battle cry or an expression of espirit de corps. Jason's return to Iraq after his injury certainly exemplifies hooah. But it was clearly time for him to leave the Army. He was eligible for tens of thousands of dollars in education funds. He got his associate's degree, then his bachelor's degree and then two master's degrees. As he was working on his education, he was also working his way through various IT positions in Winnebago county in Illinois. He was eventually hired by Rockford Public Schools in 2018. When he arrived there, he immediately he noticed something amiss with its IT security.
Barthel: I remember pulling up in the parking lot the first day, and I'm always picking around to see what I can find, what I can get into, and I was able to use my personal computer to connect to the guest wireless. And I got quick access to the cameras via the school's RTSP or pre streams through the guest wireless switch. And right away said "they've got a little work to do."
Kirk: And intruders were not far behind. In July 2019, the district experienced a minor ransomware attack. Jason says there was just minimal damage from that one. But he believes the same threat actors became involved in a much bigger attack against the district two months later. That ransomware attack started around 10 PM, on Sept. 5, 2019.
Now, this is the point in the podcast where I usually say, "Walk me through the day of the attack." But somebody else is going to do that for me, and he actually did this about two-and-a-half years ago. Earl Dotson Jr. is the chief communications officer for Rockford Public Schools. He also runs the district's monthly podcast, which is called 205 Vibe. Earl did an almost hour-long podcast episode interviewing Jason just a couple of months after the attack, which is really extraordinary. Most organizations do not want to talk about their ransomware attacks at all. What Rockford and Earl did with the podcast was extraordinary transparent and frank. Here's an excerpt:
Earl Dotson Jr.: Welcome to the 205 Vibe podcast. I'm your host, Earl Dotson, Jr. Thursday, Sept. 5, 2019. The Rockford Public Schools was hit with a ransomware attack. And it's been a challenge for lots of people involved. And the person who's been behind the scenes, and leading the charge on our efforts to get all of our systems back up and running has been none other than Mr. Jason Barthel, who leads our information technology department. And he is here with us. Jason, how you doing?
Barthel: Very good. Thanks for having me. I'm excited to tell our story a little bit and some of the work we've been putting in.
Kirk: As you can hear, Earl has a golden baritone voice that was made for radio or podcasting. And here is Earl, asking Jason about the day the ransomware struck.
Dotson Jr.: Jason, that day in early September, where are you on this day of infamy, when you first caught wind of something going wrong?
Barthel: Oh boy. I remember it very well. It was actually the night of the first Bears game. And the Bears were not playing so well. That was the first game of the season that they lost. The game had just started wrapping up, so I was already a little aggravated because of that. So I start to get a few text messages on my phone, because we've got a monitoring system on for our district to know certain things. So we were seeing some servers in the district showing that they were rebooting or shutting down. And sometimes that happens at night, if there's maintenance going on for applying updates. But then I saw it pick up pace - I was seeing 40-50-60 servers just go offline. So we typically monitor for 5-10 minutes, because sometimes we'll get an all-clear report if they decide to reboot. We weren't seeing that. I also remember at that point, I was going to click around upstairs when I noticed that the little King Charles dog I got for my kids last year had wet my bed. So that also added my aggravation. It was still going through that potty training phase.
Anyway, I decided to remote in from my laptop at home - which was a district-issued laptop - and log in to see what was going on. I tried to restart some of those servers, but they were not restarting. And then I eventually got kicked off, my VPN was kicked off, and I couldn't even remote log in.
So I had to drive into the office. That was around 10-10:30 at night. I got into the office and was able to see that we had many of the servers with an extension. What I mean by extension is like if I have a PDF file for Adobe Acrobat Reader, its file name dot pdf is the extension. Well, a specific extension at the end would indicate an encrypted file. So the servers were restarting because they had been encrypted. Once we figured that out, we immediately went in and literally disconnected ourselves from the internet to stop the proliferation of the encryption. And then we started to assess the situation. I remember very vividly getting in here about 11:30 or so at night, and I was here for about 38 hours straight with the team, going through and understanding what happened, analyzing where we were, what we had and how we could recover.
Kirk: The district used Microsoft's Hyper V as its virtualization platform, and most hosts appeared to be encrypted. The extension on the encrypted files indicated it was the Ryuk ransomware. Ryuk appeared in 2018 and is the product of a suspected Russian cybercriminal group called Wizard Spider. The group's Ryuk ransomware had a massive run for about two years, but has now faded. But the group behind it is still around, and experts believe it is responsible for another prolific ransomware known as Conti.
The effects of the ransomware on the district were devastating. Upwards of 300 servers were encrypted. Several weeks of its backups were also encrypted. Some 5,000 Windows machines were infected, all of which needed to be re-imaged. The district had no phones. It had no email. Its bus routing system was affected. More than 10 terabytes of data - which comprised some four to six million files - were encrypted. And Jason says all of this happened right after the school year just started a few days prior.
Barthel: We took a step back in time. The way I describe it to a lot of people is that we went back to pen and paper and using just the whiteboards. The silver lining of it was that you were taking that step back in time, and building relationships and communication away from the digital world and screens. Not that I ever want to be there again, but we worked in a manual fashion for a few weeks.
Kirk: There were also decisions and challenges in how to communicate the district's paralysis to parents, the public and the news media. Cathy Bayer works with Earl and is senior communications manager with Rockford Public Schools. Here she explains how they decided to transition from calling what happened as just a tech outage to a ransomware attack.
Cathy Bayer:" I don't I don't have a great, beautiful radio voice like Earl does (yes you do). No, I remember. Yeah, school had started and then everything just went out. It was bells internet, email, literally everything phones. And I remember just calling it a tech outage. And it was the end of the week. And I remember over the weekend having the conversation like some people online were asking if it was ransomware because we just kept saying tech outage bear with us, we'll provide more information when we can. And then I remember having the conversation with Earl about, like, once we know it's ransomware and people were already suggesting that we got to just call it what it is right? And we were kind of were rewatching Game of Thrones at the time. And I was like, remember, did you watch Game of Thrones? Like, remember the scene with Lord Varys? And Tyrion talking about how many people know this great big secret, right? Well, eight people, okay. And Vera says, well, once eight people know it's no longer a secret. It's information. So at that point, we were thinking, well, people in IT knows, all of cabinet knows, we're talking about communication plans, like, sooner or later, hundreds and then thousands of people are going to know we need to just call it what it is. Working in communications, I say a lot people can handle anything, they can handle any sort of information. If you tell them right, be upfront, be open, be honest, you have to tell them what it is. So we called it ransomware."
Kirk: Cathy says Facebook and Twitter updates kept families updated on the district's recovery. For the first month, the district would send out messages in the morning and evening updating everyone on the progress. She says that people were understanding once it was communicated that it was a ransomware attack. Also, Earl's podcast, videos and other types of outreach helped the district keep control of its own story.
Bayer: "Yeah, I think that's part of our what we're trying to do as a communications team is tell our own story, right Instead of depending on local media - here's a press release. And we hope that you'll tell the story exactly the way that we want you to tell it you know and hope that there's no no other breaking news to interrupt your newscast or anything like that, or your plans for the day just will tell our story. It's just it's a way to kind of reclaim our story and tell it ourselves because who knows better what's going on in our district than our own staff, our families, our students?"
Kirk: Earl says in times of crisis such as a ransomware attack, it's important for schools to keep in mind of ways to communicate if the regular systems don't work anymore.
Doston Jr.: "But as we kind of thought about communications, I just think it's important to have a multitude of various ways and various communication tools to communicate. The team has heard me talk about maintaining the integrity of our communication tools because you never know when you might need those channels for whatever and we're very fortunate here particularly for our communications department. We have not only just a good team of people but we have a variety of of tools that we that we can use in the event that we have to kind of pivot to communicate using a different platform."
Kirk: Earl says that one bit of information that the district didn't release was the amount of the ransom. He says there was a palpable anger about the attack and the fact that cybercriminals had disrupted an entire school district. That factored into the decision on whether to pay.
Doston Jr.: "Hopefully, this is okay for the podcast, but we were like, 'Screw them. We're not giving them nothing.' Like, you know, we were defiant. We were like, 'How dare you do this to children? You know, people who are in our, in our educational system who are trying to learn?' So yeah, we just at one point, it was a shock to the system. And you don't know what to do and then you just go through those phases. I think then we just got angry, like, 'Nah, we ain't doing it [paying]."
Kirk: One of the first phone calls Jason made was to the FBI. The FBI has been encouraging ransomware victims to notify it, but many don't want to do that. Some fear that calling the FBI adds a layer of complication to an already stressful situation. But the FBI says it is crucial to have victims reach out for successful investigations.
Jason knew the FBI wouldn't help with recovery, but he thought it might help if there was a chance to get compensation down the line. And one of the next early phone calls was to the district's insurer. The district carried cyber insurance. The insurer's attorney assigned an incident response company called Crypsis, which is now part of Palo Alto Networks.
Barthel: We ended up getting assigned a company called Crypsis, which was fantastic in walking us through it. Obviously, the flipside of that was that we couldn't conduct our recovery as quickly as we would have liked, because there were certain steps they wanted us to take, like finding where the threat originated in our network. So that took a lot of time. They flew out two individuals to help pull drives, image drives - it was very strategic and it took a lot of time.
Kirk: The source of the infection was traced to a phishing email that was sent to a district employee. Windows Defender missed the malicious actions that occurred after that. But the forensic investigators discovered that the district has lots of signs of intrusions even prior to that person clicking on the phishing email. They also found that perhaps even more than one threat actor had been inside the district's systems. It's not uncommon for multiple groups of hackers to find the same vulnerable systems. The incident response firm found a toolkit known as Empire, which is often used by attackers. Empire is what's called a post-exploitation toolkit, or a set of tools that are useful for attackers after they have compromised a system. Empire can be used to move around on systems and deploy other useful tools such as Mimikatz, which gathers user credentials. Jason says the forensic investigators also found the Trickbot malware. Trickbot is a pervasive type of banking malware is also frequently a precursor infection to a ransomware deployment.
One make or break aspect of a ransomware attack is the status of an organization's Active Directory. It's the almighty Windows software that's used to authenticate users on the network and set policies that govern user access to resources. The forensics team found evidence that the attackers had definitely been snooping around in Active Directory. Jason says there were many erroneous accounts that had been set up and other signs of tampering. The district ran several Active Directory servers, and for some reason, one of them didn't sync with the others as the ransomware attack was occurring. That turned out to be fortunate, since it was the one that provided the foundation for recovering that system.
Barthel: It took us a few days to do that. We were able to pull our domain back up with a pretty high degree of integrity.
Kirk: Despite the vast damage Ryuk had wrought across the district, Jason says paying a ransom wasn't on the cards. One of the pivotal factors in the determination was whether the district could continue to make payroll.
Barthel: So the very first question that came out was from our CFO was whether we could pay people. And that was really the determining factor. I had experienced a ransomware incident a number of years ago, when a small municipal police department actually paid the ransom. They had no backups - they had nothing. I was part of a service provider for them at that point. But by principle, I did not want to pay the ransom, because I knew what that meant. We don't know what we're paying, are we breaking any rules, are we paying nation-states? But if the ransom costs less than recovery, insurance companies will tend to drive you in that direction. That's making the problem worse, because we're funding this nefarious organization that is going to take those funds to get better and conduct more ransomware attacks.
In our case though, I told them, "Yes, we can get payroll up and running." We were very fortunate at this point, because we had just finished payroll that previous Friday, so we had a couple of weeks to work with before we had to get things up and running for payroll. And once we determined that, we also determined that we weren't going to pay ransom.
Kirk: The district's backups had been affected, and some had been either encrypted or were deleted. The attackers deleted about two weeks' worth of a type of Windows backup called shadow copies. Early versions of Ryuk ransomware would use an interesting technique to meddle with shadow copies. By resizing the storage for shadow copies, the backups would sometimes just disappear. Ryuk was also known to use the vssadmin.exe command, which is used to manage shadow copies, to simply delete them. But the district's older shadow copies were OK. That was fortunate because many of the district's staff were in a panic about the so-called "H" drives. The H drives were local file shares - sort of like My Documents folder in Windows - where staff just stored their files. Years of files. Like, maybe up to 15 years for some staff.
Barthel: Early on in the process, we did not know if those files would be recoverable. And that's years and years and years of data. But we then found a snapshot of those file structures in the directories. So that perked everyone in the IT team up, as we navigated through the disaster, the nightmare. That was a real big win early for us.
Kirk: The district also used the Veeam backup software and HP's Nimble Storage, which as it sounds like, is a storage product. Nimble retained snapshots, which Jason says came in handy for its enterprise resource planning, or ERP, data.
Barthel: Our saving grace was that while we had backups that were encrypted, we found some snapshots of servers on Nimble that weren't touched. And we had been doing snapshots of our financial platform, our ERP, a couple times a day; so we had the database, but we didn't have the application.
Kirk: The district used an ERP application called BusinessPlus for its finances. It's developed by a company called PowerSchool. Jason says PowerSchool lent a helpful hand by taking the database and hosting it on the cloud. It took four days just to upload the database due to its size, but the financial system was up and running in about six-and-a-half days.
Managing the recovery took some careful decisions and planning. At the time, Jason just had a staff of 42 people. But only four people worked on servers and network administration, and another three or four worked on information systems and services, which covered things like databases. It was a small staff. But they took it step by step. They didn't really have an incident response plan at the time and hadn't practiced what it might take recover. But they formed an incident command, comprising cabinet-level teams, department heads and the district superintendent. They met every two hours for the first several days after the attack to make key decisions on what the most important systems to prioritize for recovery were. After payroll, second on the list was the student information system. After that, wifi, which would allow the Chromebooks that were not infected to get back online. But even two months on from the initial attack - when Jason spoke to Earl for his podcast - the district was still in the thick of recovery, and those sought-after H drives hadn't been restored yet.
It was tough, long work. But as they say in the Army: hooah.
Barthel: I will say that morale was low. It was definitely a rough time - a rock bottom feeling for the district. But constant encouragement and leadership helped, as did making sure that they were fed and got downtime. It was certainly a turning point for us.
Kirk: The disruption to schools from a cybersecurity incident such as ransomware can be multi-fold. And Doug Levin of K12 SIX says early 2021 appeared to be a high water mark for just how disruptive these incidents were becoming to schools. The term Cyber Snow Day emerged in the last couple of years, and it was originally intended to mean that instead of getting the day off from school due to bad weather, school would continue at home through online school work. But the term is also being applied to disruptions caused by cyber incidents.
Levin: What started happening at the beginning of last school year was that, in having to respond to school cybersecurity incidents, schools had to cease operations. And even if they were in person, they sent students home. They couldn't route their buses, they couldn't operate the point of sales machine in the cafeteria. Their phone systems are IP based, so they went down. A lot of the physical security systems in school districts are also IP based, so door locks, video camera systems weren't working. And so they couldn't guarantee the safety of students. So much of the teaching and learning that happens is taking advantage of devices and the internet - they couldn't use those. So we have seen now in response to school cybersecurity incident, schools having to close for days or weeks. And in the case where a school district is trying to recover on its own from this incident, it can be months before its fully operational again.
Kirk: Doug says that the ransoms requested and those paid are also rising.
Levin: We've certainly seen a spike in ransomware incidents that have been affecting schools. And they have been evolving as well. Now they routinely involve the exfiltration of data, where they did not earlier. Way back in 2015 or 2016, maybe a ransom demand might have been in the order of $5,000 or $10,000 to be paid in cryptocurrency. Today, it wouldn't be unusual for that figure to be well over a million dollars. Rather publicly, school districts have been reported to have paid ransoms in hundreds of thousands of dollars. I'm aware of instances where school districts or their insurance providers may have paid $1 million, $2 million or more to these threat actors. Of course, that is the opposite of a virtuous circle. Every time a school district does that, they're just encouraging other threat actors, other ransomware groups to continue to target school districts. And there's still a handful of ransomware gangs that routinely target school districts all across the country.
Kirk: The U.S. has recognized the problem and is taking action. In October 2021, President Joe Biden signed into law the K-12 Cybersecurity Act, which marked the first efforts by the federal government to address the growing problem. The law requires the Cybersecurity and Infrastructure Security Agency - known as CISA - to conduct a study of the cybersecurity risks facing schools. CISA will then create cybersecurity guidelines to counter those risks and also develop an online training toolkit for school officials. Schools aren't going to be anywhere near the defensive level of, say, an investment bank, but any improvement is a step forward.
So as I said before, the Ryuk ransomware isn't around anymore. But Ryuk recently popped up in the news in a curious legal action. In April 2022, Microsoft’s Digital Crimes Unit announced that it gone to federal court to get an order that allowed it to take control of domains associated with a botnet called Zloader. A botnet is a network of computers that are infected with a specific type of malware and can be controlled remotely. Cybercriminals who run botnets use the networks for all sort of nefarious purposes, from stealing data to using them as proxies for other cyberattacks. The court allowed Microsoft to take control of 65 domains that Zloader's operators used to control the botnet.
The court also gave Microsoft control over more than 300 other domains that its operators could potentially use to regain control over their botnet. Microsoft also named an alleged operator of Zloader, a guy named Denis Malikov, who lives in Crimea, part of Ukraine that Russia unlawfully annexed in 2014.
So, a little background on Zloader. Zloader is malware that was often spammed out to potential victims. Once it had infected a computer, it served as a foothold for malicious hackers to upload other harmful code onto the computer, including ransomware. It was also really capable malware in its own right and could steal authentication credentials, cookies from browsers and interfere with online banking sessions. Zloader's lineage traces back to infamous banking malware known as Zeus or Zbot, which emerged around 2006. The code for Zeus leaked in 2011, and it became the basis for malware that still circulates today.
To strengthen its request to the court, Microsoft needed to show the harm that Zloader was causing. In the court documents, there's a declaration from Errol Weiss, who is now chief security officer for the Health Information Sharing and Analysis Center, or Health-ISAC. Health-ISAC helps health care organizations shore up their cybersecurity. Before that role, Errol was a security executive at the financial institution Citigroup, and before that, a penetration tester with the National Security Agency. He's given affidavits before for civil cases filed that were aimed at stopping the Zeus, Citadel and Shylock botnets. With Zloader, Errol's declaration focused on the effects of Ryuk on the health care industry.
Errol Weiss: The attacks can be devastating. Back in 2020 through 2021, there were rising cases of COVID-19, hospitals were over capacity trying to treat seriously ill patients. Now, they're dealing with ransomware attacks, and the consequences become even more dire. Modern hospitals rely on IT systems to run all aspects of businesses. So if you interrupt IT services, you're inevitably going to have a negative impact on patient care.
Kirk: Errol's declaration to the court cited impacts that Ryuk had on patient care. In one example, a Ryuk infection forced ambulances to divert and cause a 90-minute delay in emergency care. Another infection disrupted the delivery of chemotherapy for cancer patients. Ryuk infections forced other hospitals to cancel elective procedures, delayed lab results and caused delays in scheduled maternity and oncology appointments. The gang or affiliates of the gang also leaked sensitive patient data, including clinical data and diagnoses for hundreds of thousands of people. Errol says that making schools and health care institutions more resilient against ransomware isn't trivial.
Weiss: Ultimately, properly securing enterprise networks is incredibly complicated. It's challenging. And of course, it changes every single second. When I was in the banking and finance sector, large international banks had thousands of people in their information security programs, protecting the bank - a small army to provide effective protection. So it's extremely difficult to adequately protect any kind of enterprise network without proper investment. So the question I would ask is: "are you spending about 10% of your relative IT budget on security?" And if you're not, it's probably not enough.
Kirk: Jason says that the Rockford Public School district is now in a far better position than it was when he arrived in 2018. It strengthened security controls in its Office 365 environment. An effective cybersecurity awareness and anti-phishing program has dropped click-through rates on phishing emails from a very high 43% to well below 10%.
Barthel: I faced a little bit of flak when we started doing phishing campaigns. People weren't happy because it added time to their day, and made them think "should I click on this email that I got or not?"
So we're really strengthening our end user knowledge and awareness, and knowing what to look for when they get a weird email.
Kirk: The district is also following the National Institute of Standards and Technology's Cybersecurity Framework, which is a guide for organizations to help reduce their overall risk. Jason says multifactor authentication is in place, although it was a hard sell. Its endpoints have been upgraded to endpoint, detection and response software, which will hopefully detection intrusions quickly and take action. The district has also set up a full disaster recovery site that's running a clone of its on-site network, including the storage area network, application and databases.
Barthel: I think you always come out better from these things compared to how you went in. You don't know what you don't know. We found a silver lining in this particular event: we were able to really expedite our security process; and we had a great board and administration that helped push us along. We'll be OK. It's not always fun, but I think we are battle hardened now.
Kirk: Earl Dotson Jr., who has the golden voice of podcasting, has kindly obliged my request to do the outro for this episode, so here he is.
Doston Jr.: This episode of The Ransomware Files was written, researched, edited and produced by Jeremy Kirk. The production coordinator is Rashmi Ramesh. The Ransomware Files theme song is by Chris Gilbert of Ordinary Weirdos Music. If you enjoyed this episode of The Ransomware Files, please share it and leave a review. It will help keep this project going. The series has its own Twitter handle @ransomwarefiles that tweets news and happenings about ransomware. And Jeremy is on Twitter @jeremy_kirk. If you would like to participate in this project or have an idea for it, please get in touch. The project is looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past. For Rockford Public School District 205 and The Ransomware Files, I'm Earl Dotson Jr.