I remember being a kid during the winter on the East Coast. Once the first snowflake fell, we eagerly listened to the radio and would cheer for school to close due to snow. We would spend the rest of the day outdoors getting frostbite, but enjoying every minute of the winter wonderland.
Nowadays, kids don’t have to wait for winter weather for a day off from school. Some snow days have been replaced by ransomware days. During the pandemic, almost all school districts around the country are either fully online or use a hybrid of online and in-person learning.
In Baltimore County, Maryland, the kids received a snow day before Thanksgiving and three more the following week. According to Bleeping Computer, the Baltimore County Public School system canceled classes after being hit by a ransomware attack against their Windows-based devices.
On Nov. 30, the Huntsville (Alabama) City School district shut down for a week after its system was hit by ransomware. About the same time, the online learning giant, K12, announced it paid hackers the ransom for their mid-November attack.
Why the sudden explosion of the ransomware attacks and what can we do about it? The answer to the first question is a change in the business model of the crime organizations on the Dark Web. Ransomware used to be a time intensive activity where skills and/or a lot of money were necessary to pull off the attack. However, the crime syndicates have created a new business model that changed all this. They are now selling Ransomware as a Service. The entrance cost has been reduced significantly. RaaS allows the two-bit crook and the non-technical hood to enter into a career as a cyber extortionist. With the increased dependence on technology for businesses and risky remote access for employees, the market is full of potential targets, big and small organizations, in the cities and towns, in every sector. No one is immune. For more on ransomware and how it works, I recommend this video from Tom: https://youtu.be/KgpWYaiRIlY.
There are ways to protect your organization from becoming a victim. Your cyber defense must be in-depth. Your firewalls should be closing all unnecessary ports. Users should have regular training on identifying phishing emails. Your network should be protected by multi-factor authentication. We talk about these regularly in this column.
Let me introduce you to two new concepts that are a strong defense against ransomware: application whitelisting and application ringfencing. Application whitelisting only allows those applications that are known to be trusted to run on the system. Although most employees use up to 10 applications to perform their job, the operating system is wide open, allowing any application, malicious or not. Blocking all applications that are not on the known good list (whitelist) shuts down the malware’s usual paths.
Every time we open an application on our computer, that application has full access to everything we do. Ringfencing allows you to define rulesets governing how an application can interact with other applications, and what resources an application can access. For example, if PowerShell and Microsoft Office are required in your environment, that does not mean that Microsoft Office needs to be able to interact with PowerShell.
If applications were horses on a ranch, a horse that had access to the entire pasture would be on the whitelist, while a horse that was restricted to a training corral would be ringfenced. Horses not whitelisted or ringfenced would not be allowed on the property.
So, if you want to avoid a cyber snow day, talk to your local cybersecurity expert about application whitelisting and ringfencing.