The CFC case study below explains how hackers accessed a school’s systems through remote desktop protocol and held data to ransom.
The education sector is no exception to the massive technological changes that have occurred over the past 20 years or so. Schools in particular are now increasingly dependent on their computer systems to provide students with a 21st century education. Both teachers and students now regularly make use of computer technology in the classroom, whether that be through delivering PowerPoint presentations on interactive whiteboards, conducting interactive learning on tablets and laptops, completing online assessments and tests, or using software programs for compiling student grades and monitoring classroom attendance. Schools are also seeing a shift away from paper filing and are storing more and more of their important data in an electronic format.
Although the use of computer technology has undoubtedly brought many benefits to schools, their increasing dependence on computer systems and electronic databases also makes them vulnerable to cyber losses. If teachers and staff are unable to gain access to their computers, whether that be as a result of a malicious cyber attack or a non-malicious system failure, it can result in serious operational disruption for the school. And if a hacker gains access to sensitive electronic data held by the school, it could have a negative impact on the school in terms of both its finances and its reputation.
One of CFC policyholders affected by a cyber loss was a private school responsible for educating approximately 800 students aged 11-18, with the school catering for both day and boarding students.
The incident began when a hacker managed to gain access to the school’s computer systems through the remote desktop protocol (RDP). RDP allows remote users to connect to the desktop of another computer through a network connection and is typically used by schools to allow staff and students to access their networks whilst they are not on school premises. In this case, the port that the school used for RDP access was exposed directly to the internet. Hackers are constantly using scanning tools to identify vulnerable organizations and establish any weak points that they may have in their cyber security, and an RDP port that is exposed directly to the internet is one of the most common that they look out for.
Having identified this area of weakness, the hacker looked to gain access to the school’s network by initiating a brute force attack against a local administrator account. A brute force attack is where a hacker uses a computer program to crack passwords by trying numerous possible password combinations in rapid succession, with the program typically trying a long list of the most commonly used passwords. Generally speaking, the longer and more complex the password, the more difficult and time consuming it is for the program to crack. Unfortunately, however, the school’s local administrator account had a weak password in place that had been used as a default but never been changed. With the password lacking in complexity, the program quickly cracked the password. What’s more, the school did not have multi-factor authentication enabled for RDP access, so as soon as the password was cracked, the hacker was able to gain access to the school’s network without having to go through a second verification procedure.
Upon gaining access, the hacker took the opportunity to unleash ransomware across the school’s computer systems. Ransomware is a type of malicious software that works by encrypting data on a network, and then demands that a ransom be paid in exchange for a decryption key to regain access to the data. In this case, the ransomware had encrypted multiple servers, effectively locking the school out of its computer systems, and the hacker demanded a payment of 2 bitcoin for the decryption key. In many cases, it’s possible to mitigate ransomware attacks by recovering from back-up. However, the school’s back-ups were contained on one of the servers encrypted by the ransomware, rendering them useless.
Fortunately for the school, the ransomware attack occurred over the course of a school holiday, but without being able to restore from back-ups, the school recognized that a great deal of disruption would ensue if its computer systems were still unavailable once students returned. For example, the school would be unable to have ready access to highly important information, such as the financial information needed for accounting purposes, details about prospective students for the next school year and critical information about students under the school’s care, such as medical records and dietary requirements; teachers would be unable to make use of interactive whiteboards to provide presentations to students; students would no longer be able to use e-learning courses in the classroom or complete online assessments; and boarding students would be unable to complete homework assignments on schools computers in the evening.
With the prospect of significant operational disruption looming over the school, it was at this point that the incident was notified to CFC’s incident response team. The team’s first priority was to establish what ransomware variant had been used in the attack by looking at a copy of the ransom note and a sample of the encrypted files. Having identified the likely ransomware variant, the team then carried out some research to see if there was any way of removing the ransomware without paying the ransom demand. One of our incident response partners produces a regularly updated list of freely available decryption keys for known ransomware variants. Luckily for the school, the team were able to find a decryption key online. With the decryption key to hand, the school was able to begin the process of decrypting the affected data and applications without having to pay the ransom.
However, even though the school had managed to regain access to its computer systems, there was still a question mark over whether the attack had resulted in a data breach. The ransomware attack had impacted servers containing sensitive data, including parents’ names, phone numbers, and residential addresses; data on past and present students, such as grades, attendance, disciplinary and medical records; information on staff, such as contact details, addresses and bank account details; and information on prospective students who were likely to be inducted in the next school year. As the school was subject to local data breach notification laws, it meant that if it transpired that some or all of this data had been accessed or exfiltrated in the course of the attack, the school would have to notify the affected individuals, potentially resulting in a regulatory investigation and damaging the school’s reputation in the eyes of staff, students and parents alike.
In order to address this issue, we engaged one of our incident response partners to conduct a forensic investigation to establish how the hacker had gained access to the insured’s computer systems and whether they had accessed any sensitive data whilst they were there. Unfortunately, when the hacker had carried out the attack, they had set up a temporary user profile, which meant that there was no way of knowing for sure what folders the hackers may have explored and what files may have been opened.
Nevertheless, our incident response team and our forensic partners were able to establish some pertinent facts about the case. First, based on previous incidents and threat intelligence, the ransomware variant used during the course of the attack was not known to be capable of accessing or exfiltrating data. Second, the bandwidth usage logs obtained from the school’s internet service provider did not show high levels of traffic during the period that the hacker had access to the school’s computer systems, indicating that there had not been any major data exfiltration from the school’s network. Third, the hacker was only logged on to the school’s computer systems for a short period of time, suggesting that they were primarily focused on deploying the ransomware rather than seeking out sensitive data.
Given this, our forensic partners determined that the hackers main motive appeared to be financial gain through the use of ransomware, rather than the theft of sensitive data. After engaging legal advice to determine whether a data breach notification would be required, the lawyers advised that, based on the findings of the forensic investigation, no notification would be needed in this instance, thus ensuring that the school’s reputation was not damaged unnecessarily.
The total cost of carrying out a root cause analysis, network security assessment, forensic investigation and engaging legal counsel came to £17,560, all of which was covered by the school’s cyber policy with CFC.
This claim highlights a few key points. Firstly, it highlights the importance of securing the remote desktop protocol (RDP) effectively. If organizations are using RDP, they should make sure that it is not directly exposed to the internet and use a virtual private network (VPN) instead. In addition, businesses should ensure that they have good password hygiene in place and enable multi-factor authentication for any remote access to the network. If the school had had these measures in place, it is highly unlikely that the hacker would have gained access to its computer systems.
Secondly, it highlights the importance of having a good data back-up policy. In this case, the school had been prudent enough to back up its data. However, by not saving these back-ups external to the school’s servers, it meant that when the ransomware started encrypting, it encrypted the back-ups too. Ideally, businesses should maintain daily offline back-ups to help prevent back-ups from being compromised during the course of an attack.
Finally, this claim highlights the value of cyber insurance. When you buy a cyber insurance policy, you are not just buying a promise to pay valid claims. You are also paying for a service to help and advise you when things go wrong. In this case, CFC’s incident response team and our partners were able to provide threat intelligence on the ransomware variant and obtain a free decryption key, enabling the school to regain access to its computer systems; conducted a root cause analysis to establish how the hacker got into the system, enabling the business to identify and remedy any cyber security weaknesses; and conduct a forensic investigation that allowed us to determine that the ransomware attack had not resulted in a data breach, thus preventing the school from conducting an unnecessary notification procedure and needlessly damaging its reputation.