Month: March 2021

Warnings Issued Following Spike in Ransomware Attacks on Schools

The disruption to learning from a pandemic that has lasted more than a year is bad enough, but many schools have experienced even more disruption just as many have opened their gates and allowed students back into classrooms.  The SARS-CoV-2 virus may have been brought under control thanks to lockdown measures and the rollout of vaccines, but another type of virus is proving to be a major threat – ransomware.

FBI Warns of Targeted Ransomware Attacks on K12 Schools and Higher Education

Ransomware attacks on schools have been stepped up in recent months and schools and higher education institutions are being actively targeted. In the United States, the Federal Bureau of Investigation recently issued an alert to the education sector warning about the threat of attacks involving Pysa ransomware. The threat actors behind this ransomware variant have been actively targeting K12 schools, higher education, and seminaries. Buffalo City Schools were forced to close their schools in March following a ransomware attack that crippled their IT systems, just before students were about to return to classrooms as part of a phased reopening of schools.

The ransomware is deployed manually after compromising the network. The attack often starts with a phishing email, which gives the attackers the foothold in the network they need. They then conduct reconnaissance, move laterally, and compromise entire networks before deploying their ransomware.

Prior to running the encryption routine that cripple IT systems, the attackers steal sensitive data. Files containing student information are obtained and threats are issued to publish or sell the stolen data if the ransom is not paid. The gang, like many others, has a leak site and routinely follows through on the threat.

Spike in Ransomware Attacks on UK Schools

Ransomware attacks on schools are not confined to the United States. The Pysa ransomware gang is also targeting schools in the United Kingdom and many other countries, and the Pysa gang is not alone. Many other ransomware operations have been attacking schools.

Following a rise in ransomware attacks on UK schools, the UK’s National Cyber Security Centre (NCSC) issued an alert to educational institutions about the growing threat of attacks. NCSC has observed an increase in ransomware attacks on schools from late February 2021, which coincides with students returning to classrooms after an extensive period of school closures due to the pandemic.

The NCSC said there is no reason to believe that these attacks are being conducted by the same criminal group. This appears to be the work of multiple threat groups. These attacks have caused varying levels of disruption, including rendering entire networks inoperable, disabling email and websites, and hampering the ability of students to learn. In some cases, students have lost coursework as a result of the attacks, records of COVID-19 tests have been rendered inaccessible, and school financial records have been lost.

Unfortunately, even paying the ransom is no guarantee of being able to recover encrypted files. While the attackers claim they have the keys to unlock the encryption, they may not be provided. There is also no guarantee that stolen data will be deleted when the ransom is paid. There have been many cases when further ransom demands have been issued after payment has been made.

Adopt a Defense in Depth Strategy to Block Ransomware Attacks

The Department for Education (DfE) has recently urged UK schools to review their cybersecurity defenses and take the necessary steps to harden their defenses against cyberattacks. The NCSC explained that there is no single cybersecurity solution that will provide protection against these attacks. What is required is a defense in depth approach to security.

Defense in depth means implementing multiple overlapping layers of security. If one layer fails to block an attack, others are in place to block the attack.

In practice this means good patch management – applying updates to software, firmware, and operating systems promptly. Antivirus software must be installed on all devices and be kept up to date. Spam filtering solutions should be implemented to block the phishing emails that give the attackers access to the network. These filters can also be used to block email attachments that are not typically received.

Web filters should be used to block access to malicious websites. These filters inspect the content of websites to determine if it is malicious. They also categorize web content, and the filters allow schools to carefully control the types of content that students and staff can access to reduce risk.

Multi factor authentication should be implemented on all remote access points and email accounts, remote access ports that are not being used should be blocked, and a VPN should be used for remote access. The rule of least privilege should be applied for remote access and all staff and student accounts.

It is also recommended to prevent all non-administrator accounts from being able to install software, office macros should be disabled, as should autorun on portable devices.

It is also vital that all files are backed up daily and backups tested to make sure file recovery is possible. Backups should be stored on non-networked devices and must not be accessible from the systems where the data resides. Ideally, multiple backup copies should be created with at least one stored on an air-gaped device.

Gootloader Malware Delivery Framework Uses SEO Poisoning to Deliver Multiple Malware Variants

There has been an increase in the use of a JavaScript-based infection framework known as Gootloader for delivering malware payloads. Gootloader, as the name suggests, has been used to deliver the Gootkit banking Trojan, but also REvil ransomware, Cobalt Strike, and the Kronos Trojan via compromised WordPress websites.

The threat actors behind Gootloader compromise vulnerable WordPress websites and inject hundreds of pages of fake content, often totally unrelated to the theme of the website. A broad range of websites have been compromised across many industry sectors, including retail, education, healthcare, travel, music, and many more, with the common denominator that they all use the WordPress CMS.

It is not clear how the WordPress sites have been compromised. It is possible that the sites have not been updated to the latest WordPress version or had vulnerable plugins that were exploited. Legitimate admin accounts could be compromised using brute force tactics, or other methods used.

The content added to the compromised sites takes the format of forum posts and fake message boards, providing specific questions and answers. The questions are mostly related to specific types of legal agreements and other documents. An analysis of the campaign by eSentire researchers found most of the posts on the compromised websites contained the word “agreement”. The posts have a question, such as “Do I need a party wall agreement to sell my house?” with a post added below using the exact same search term that users can click to download a template agreement.

These pages have very specific questions for which there are few search engine listings, so when search engines crawl the websites, the content ranks highly in the SERPs for that specific search term. There may be relatively few individuals searching for these particular search terms on the likes of Google, but the majority of those that do are looking for a sample agreements to download.

The malicious file that the link directs the user to download is a JavaScript file, hidden inside a.zip file. If that file is opened, the rest of the infection process operates in the memory, beyond the reach of traditional antimalware solutions. An autorun entry is created that loads a PowerShell script for persistence, which will ultimately be used to deliver whatever payload the threat actor wishes to deliver.

The content added to the websites contains malicious code that displays the malicious forum posts only to visitors from specific locations, with an underlying blog post that at first appears legitimate, but mostly contains gibberish. The blog post will be displayed to all individuals who are not specifically being targeted.

The campaign is using black hat SEO techniques to get the content listed in the SERPs, which will eventually be removed by the likes of Google; however, that process may take some time.

Blocking these attacks requires a combination of security solutions and training. Downloading any document or file from the Internet carries a risk of a malware infection. Risk can be reduced by implementing a web filtering solution. Web filters will block access to websites that have been identified as malicious and will perform content analysis on new content. You can also configure a web filter to block downloads of certain files types, such as JavaScript files and Zip files.

Endpoints should be configured to display known file types, as this is not enabled by default in Windows. This will ensure that the file extension – .js – is displayed. End users should be instructed not to open these files and Windows Attack Surface Reduction rules should be set to block JavaScript and visual Basic scripts from attempting to download and run files.