Baltimore County Public Schools shut down Monday and Tuesday following a ransomware attack that paralyzed the school system’s network last week right before Thanksgiving.
According to the Baltimore Sun, officials described the event as a “catastrophic attack on our technology system.” The ransomware attack is reported to have hit the entire Baltimore County Public Schools’ network on Wednesday. The attack caused the 115,000 students who were solely remote learning to have an extended Thanksgiving weekend as schools were shut Monday and Tuesday and will resume on Wednesday.
When resuming school tomorrow, the District is advising students and staff that they can use Chromebooks, but not Windows-based devices while the investigation is ongoing. Students and staff are performing a series of security checks on system-issued devices and any students who need a new device or assistance can get assistance at their local public high school.
According to social media accounts, some teachers have surmised that the ransomware strain involved in the attack is Ryuk, which is well- known to have been involved in previous attacks against municipalities and school systems.
At the present time, the attack is being investigated and it is unknown whether or not any personal student or employee information was compromised.
In the wake of the increase in ransomware attacks, including data exfiltration prior to or during a ransomware attack, I think it is worth the time and resources to focus on data recovery and business continuity. I am finding that during and following a ransomware attack, victims do not have adequate actionable business continuity, disaster recovery, or data recovery plans in place.
One way to focus on these important concepts is to schedule and conduct a tabletop exercise with your incident response team, focused specifically on a ransomware attack. Think about the situation in which none of your employees are able to access the network, systems, documents, contacts, emails or schedules. How do you even get in touch with your incident response team if you can’t access your contacts? Do you have their personal contact information on a piece of paper? How much time will it take you to figure out how to get in touch with your incident response team if you don’t have their personal telephone numbers or email addresses? This is lost time that is incredibly valuable immediately following an attack.
Further, if data have been exfiltrated by the hacker before dropping the encryption key to lock all of your data, do you have the proper systems in place to recover the data and continue business operations? If none of your employees can access documents or email, how do they do their jobs? How long will it take to get them back to work? If your employees can’t work, your business will be impacted, which goes to the bottom line.
This is the importance of having a disaster recovery plan, a data recovery plan, and a contingent operations plan. What is even more important is to test those plans. Take the time to really focus on how you would handle the worst-case scenario of a ransomware attack, who has responsibility for response and mitigation, who is responsible for communicating with employees and how, and who will be the quarterback of the entire response.
A ransomware attack can be devastating to a company even when you are prepared and have tested your plans. It is even more devastating when you are completely unprepared.
October is Cybersecurity Awareness Month. Make one of your goals for this month to develop and test your incident response, data recovery, disaster recovery and contingent operations plans.