Criminals know that the data under the care of schools are very valuable to students and staff, and this makes them a potentially lucrative target. By taking the time to prepare before an emergency happens, you can minimize the risk of losing access to your data or of having to pay criminals to regain it.
What makes schools unique?
Not only do many students and teachers use the same computers in schools, but schools generally encourage their users to bring their own devices. This brings a higher level of challenge, as an untold number of unmanaged machines are connecting to the network each day.
Back up your data
The single most important thing you can do to prepare for emergencies, including being affected by ransomware, is having a regularly updated and secured backups.
Keep your software up to date
Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to get onto your system unobserved. It can significantly decrease the potential for malware infection if you make a practice of updating your software often.
Use a reputable security suite
It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behaviour. Malware authors frequently update their creations to try to avoid detection, so it is important to have both layers of protection.
Use the Principle of Least Privilege
The Principle of Least Privilege says that no users or systems should have more access than is necessary to complete tasks that are legitimately within the scope of their work. Personal devices brought from home should also be treated differently from machines that always remain within the school network.
Educate your users
While accidents do happen, it is important for all of your users to understand what acceptable use of school resources entails. This is something that should not just be done once at the beginning of the year and forgotten by the time midterms come around, but is an exercise that is revisited frequently
Check to see if a decryptor is available
Sometimes malware authors make mistakes and decryptors can be created. Other times, malware authors feel remorse for their actions or stop development on a particular ransomware family, and then release a decryption key. It’s worth a quick internet search to see if the solution to your problem is available for free, from a reputable source.
Disconnect from WiFi or unplug from the network immediately
If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finishes encrypting your files. If you disconnect yourself from the network immediately you might decrease the number of files that it can encrypt.
Use System Restore to get back to a known-clean state
If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. Many ransomware variants will prevent this from succeeding, but it doesn’t hurt to try.
Set the BIOS clock back
Some ransomware variants have a payment timer that increases the price for your decryption key after a set time. You may be able to give yourself additional time by setting the BIOS clock back to a time before the deadline window is up.
Should you pay the ransom?
Paying criminals is never a good idea, even when it seems expedient. Ransomware authors are under no obligation to actually give you what you pay for, and there have been plenty of cases where either the decryption key did not work or the ransom note never even appeared. Suffice it to say that cybercriminals are not generally renowned for their excellent software testing or devotion to quality customer service.