Fraud Management & Cybercrime , Ransomware

The Ransomware Files, Episode 7: Ryuk's Rampage

A School District Infected With Ryuk Kept Classes Running and Recovered
The Ransomware Files, Episode 7: Ryuk's Rampage

If there are two industry verticals in which launching a ransomware attack isn't even close to a fair fight, they're schools and hospitals.

Schools deliver education. Hospitals deliver medical care. Both are essential services that - especially after the last two years of the COVID-19 pandemic - do not need any more interruption.

A type of ransomware called Ryuk, which was created by a Russian cybercriminal group, was responsible for much of the disruption in those verticals over a period stretching more than two years.

One of its victims was Rockford Public Schools in Rockford, Illinois, just days after the school year started in September 2019. Ryuk encrypted upwards of 6 million files, wrecked applications and locked up servers. But the district kept the doors open while mounting a mighty recovery effort.

Jason Barthel is chief information officer for the school district. He'd just finished watching the Chicago Bears football team lose their first game of the season when he began to get text alerts that the district's servers were going offline.

Upwards of 300 servers were encrypted. Several weeks of its backups were also encrypted. Some 5,000 Windows machines were infected, all of which needed to be re-imaged. The phones and email did not work.

"We took a step back in time is the way I say it," Barthel says. "We went back to pen and paper."

While Ryuk managed to delete some backups, others were intact. A vendor helped restore the application used for its financial system, and the data for that system was backed up. One copy of its Active Directory also escaped encryption, which served as a foundation for recovering that system.

The district was also very upfront about its attack, even doing a podcast episode about it just two months later. The district refused to pay the ransom.

"We were like, 'Screw them,'" says Earl Dotson Jr., Rockford Public Schools' chief communications officer. "We're not giving them nothing. Like, you know, we were defiant. We were like, 'How dare you do this to children?'"

Barthel says three years on from the attack, the district is now in a far better position than when he arrived in 2018. It strengthened security controls in its Office 365 environment. Multifactor authentication was implemented. An effective cybersecurity awareness and anti-phishing program has dropped click-through rates on phishing emails from a very high 43% to well below 10%.

"I think you always come out better from these things than what you went into," Barthel says. "We found a silver lining in this particular event. You'll be OK. It's not always fun. But I think we are battle-hardened now."

"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I'm speaking with those who have navigated their way through a ransomware incident to learn how they fought back and what tips they can pass on to others. No ransomware infection is ever welcomed. But there's invaluable knowledge gained. There should be no shame in getting infected, and it's important to share the lessons.

If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.

If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at jkirk@ismg.io or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.

Credits

Speakers: Jason E. Barthel, Chief Information Officer, Rockford Public Schools; Earl Dotson Jr., Chief Communications Officer, Rockford Public Schools; Cathy Bayer, Senior Communications Manager, Rockford Public Schools; Doug Levin, National Director, K12 Security Information Exchange; Errol Weiss, Chief Security Officer, Health Information Sharing and Analysis Center; Jeremy Kirk, Executive Editor, Information Security Media Group.

Production Coordinator: Rashmi Ramesh.

The Ransomware Files theme song by Chris Gilbert/© Ordinary Weirdos Music.

Music by Podcastmusic.com.

Sources

  • Allan Liska, Ransomware: Understand. Prevent. Recover, Oct. 28, 2021;
  • CISA, Alert: Conti Ransomware, Sept. 21, 2021;
  • CISA, Alert: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data, Dec. 10, 2020;
  • Data Breach Today, Improving Cybersecurity Defenses for Schools, Feb. 11, 2022;
  • Infosec, ZLoader: What it is, how it works and how to prevent it | Malware spotlight, Aug. 19, 2020;
  • K12 SIX, State of K-12 Cybersecurity: Year in Review, March 10, 2021;
  • Krebs on Security, Conti’s Ransomware Toll on the Healthcare Industry, April 18, 2022;
  • Microsoft, Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware, April 13, 2022;
  • NBC News, Hackers are leaking children’s data - and there’s little parents can do, Sept. 10, 2021;
  • Rockford Public Schools, 205 VIBE, Sept. 2018-May 3, 2022;
  • Rockford Register Star, School internet, email, phones disabled by ransomware, Sept. 9, 2019;
  • The Journal, K–12 Cybersecurity Act Signed into Law, Oct. 8, 2021;
  • Trend Micro, A Brief History of Notable Online Banking Trojans, Aug. 31, 2015;
  • York Daily Record, 'Cyber snow days:' Why few school districts statewide opted in for the program, Jan. 6, 2020;



Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.