Hear ransomware victims describe the response and recovery lessons learned at the virtual event for IT professionals
Free Webinar by K12SIX Scheduled for August 16th
The non-profit K12 Security Information Exchange school cybersecurity organization is hosting a free professional development webinar for IT professionals in the education sector on August 16th that will provide an in-depth case study of the Northshore School District’s response and recovery work after a debilitating ransomware attack on the Washington District in 2019 contains.
The webinar, “The Long Tail of K-12 Cyber Incident Response and Recovery,” will include a discussion of best practices for recovery, “with a particular focus on the long-term work to incorporate lessons learned” from the Northshore School District’s network operations manager Jon Wiederspan and Network Security Engineer Alexander Delgadillo, and presenter Doug Levin, National Director at K12SIX.
The State of K-12 Cybersecurity Year in Review Report, published by K12SIX in March, revealed that ransomware has become the most common type of publicly reported cyber incidents in US schools as increasingly aggressive tactics by threat actors raise the stakes. Last year, the report said, the 62 ransomware incidents reported by K-12 schools in the United States made them the top-reported cyber for the first time since the K12SIX Cyber Incident Map began collecting data -Incident type.
“While the actions a school district takes in the hours and days after a cyber incident is discovered are critical, cyber incident recovery is not complete until steps are taken to prevent similar incidents from happening in the future repeat,” said K12SIX. “This work often requires close coordination with district leadership, across departments and departments, often with those who aren’t IT professionals.”
According to the IST Ransomware Task Force, recovery from ransomware attacks takes an average of 287 days, even if the affected organization believed they had secure backups before the attack. That was the belief in the Northshore School District, and it turned out to be misplaced confidence, according to an interview with one of the district’s systems administrators, published last year, about the events in the early hours after the attack.
“The cybercriminals used the Ryuk ransomware against the school district, which relied on a data center with 300 Windows and Linux black box servers. The district also managed 4,000 employees’ devices, including Windows, Mac, and Chromebook workstations, along with many iPad tablets,” David Ruiz wrote in his MalwareBytes interview with Northshore’s Ski Kacaroski.
“Shortly after logging into his employer’s VPN and poking around, Kacaroski learned the server had been attacked by ransomware. He saw an unencrypted file — a ransomware note from the attackers — and tons of .ryuk file extensions just about everywhere else.”
Finally, an FBI investigation revealed that the first breach of the district’s networks had started months earlier, and between that time and the ransomware attack, three different groups of hackers had access to the district’s network, with each group increasing their attack tactics and more Gained control of the district’s servers, the report said.
Valuable lessons were learned along the way about what to do — and what absolutely not to do — and those insights will be the topic of the K12SIX webinar, Levin said.
The webinar is designed to complement the new K12 SIX Essential Cyber Incident Response Runbook, a free template that guides public schools through creating a cyber incident response plan.
The event, which begins Tuesday, August 16 at 2:00 p.m. ET, will include a question and answer session with Northshore network managers.
Find out more on the K12SIX events page or register for the webinar here.
Kristal Kuykendall is the Editor of the 1105 Media Education Group. She can be reached at [email protected].