Jun 07, 2017
The attack happened on a Sunday, when few people were around. Hackers apparently based in Russia broke into the computer systems of a St. Louis metro-area charter school system, encrypted all its files, deleted on-site backups, and demanded a ransom paid in bitcoins, the cyber currency.
The school system became the latest victim of the scourge of ransomware, a rising threat in which criminal hackers invade computers or networks, encrypt everything and try to extort a ransom for their victims in exchange for putting their systems back online.
“This was a very serious attack that impacted all facets of our operations, from Outlook e-mail to our financial and phone systems,” an executive of the school system said. “It felt as if our business operations had been dealt a serious blow — to the point we thought that we may not be able to recover some aspects of operations.”
Fortunately, it wasn’t a complete catastrophe — offsite facilities saved several crucial systems — but email was down for days and the telephone network was badly damaged.
“Our phone systems had to be rebuilt, which took from one to two weeks,” the school system executive said. “We do still have some locked user files that we will likely never recover.”
Help arrives from Essential Network Technologies
ENT, the St. Louis networking and managed IT services provider, has worked with the school system for three years, maintaining and administering its telephone system, installing networking gear, providing escalation support and third-tier troubleshooting/analysis, and jumping in with other services when requested.
The school system contacted ENT shortly after the intrusion.
“We needed someone with expertise in dealing with this level of attack, and needed help getting our systems back up and running as quickly as possible,” the school system executive said. “ENT provided our IT manager resources to help investigate and assess damage, as well as help bring systems back online.”
School leaders also asked ENT to help figure out what went wrong and advise on how to prevent it from recurring. Within two weeks, ENT delivered a comprehensive, 25-page Information Technology Audit Report that detailed the vulnerabilities the hackers exploited and recommended changes to reduce the likelihood of future attacks.
Key findings and recommendations of ENT’s system audit
While ENT networking experts helped the school system recover lost IT resources, the company’s security experts were examining system logs and figuring out how the attackers got in. They determined the attack originated from IP addresses in the St. Petersburg, Russia, area. The intruders exploited weak login credentials that granted full system privileges to anybody who successfully signed in via a remote-access interface.
Once the hackers got in, they had pretty much full access to the school’s on-site systems.
How could this happen, and what would take to prevent it from happening again? ENT’s audit report made several key recommendations, including:
- Adjusting staffing levels, duties and responsibilities to ensure anomalous network activity does not go unnoticed.
- Improving network access protocols so people have no more system privileges than they actually need.
- Enabling security logging to alert top systems personnel when unusual traffic appears on the network.
- Implementing stronger, more secure password and remote-access policies.
- Moving to new backup architecture that provides more security and faster disaster recovery.
The end result: The school system now has a roadmap for robust IT systems that can serve the needs of students and teachers while substantially reducing the risk of damaging cyber intrusions.
“I would recommend ENT to a colleague,” the school system executive said. “They were instrumental in recovering us from this cyber-attack and will play a crucial role in redeveloping our systems to make them less susceptible to this type of attack in the future. “