Ransomware attacks in the education sector in 2023 are on the rise. As schools have transitioned to remote and hybrid learning due to the COVID-19 pandemic, they have become more reliant on technology, increasing their susceptibility to cyberattacks, in particular ransomware attacks. Unfortunately, educational institutions often lack the sophisticated defenses, resources, and training needed to protect against these attacks. As a result, attack groups are targeting the education sector, where they perceive a greater chance of success. This is particularly worrisome for students and young adults at the cusp of their careers. Further, the sensitive data at risk is that of children, students, and teachers, an already highly vulnerable group.
Last April, two more school districts were added to the list of victims by the Medusa and LockBit attack groups:
- The Medusa ransomware group claimed Uniondale Union Free School District in New-York as a victim, adding them to their leak site with sample files and a ransom deadline.
- LockBit added Pineland Schools in New Jersey to their leak site, showcasing a sample of the 64GB of data they claimed to have exfiltrated.
Both attacks were mentioned on the dark web, where the attack groups took pride and shared proof of exfiltrated data from the schools’ systems containing sensitive personal information on both students and personnel.
In this paper, we will shed light on both attack groups, discuss the attack techniques and implications of their recent attacks, and provide preventative measures against ransomware attack
II. Lockbit & Medusa Attack Groups
LockBit is a highly sophisticated cyber attack group that specializes in double extortion techniques. These techniques involve both stealing and encrypting sensitive data, which puts additional pressure on victims to pay the ransom. The group has been active since 2019 and has quickly gained notoriety for its automated data exfiltration methods using malware tools, like Stealbit, and encryption systems, like Lockbit 2.0. LockBit has targeted a number of large organizations and corporations, taking advantage of the same vulnerabilities (detailed below). Unfortunately, the prevalence of ransomware attacks like those carried out by LockBit is constantly on the rise and is expected to increase in the future.
Medusa is a ransomware group that was founded in June 2021 and has recently come into the spotlight after a series of successful and high-profile attacks on corporate victims, including the Minneapolis Public School district. Medusa infiltrates victims by infected email attachments, compromised or infected sites, or through malicious ads and takes advantage of the Remote Desktop Protocol (RDP) known vulnerabilities (listed below).
As with Lockbit, Medusa’s ransomware claims to exfiltrate data from compromised organizations to perform a double extortion attack and publish the exfiltrated data on their leak site “Medusa Blog” if a ransom is not met. The threat actors also have a negotiation site, called Secure Chat, that victims can use to communicate with them.
Medusa Ransomware is a relatively new variant and additional information about its campaign, targets, and any additional capabilities is still being discovered.
This vulnerability can be a source of issues for users who connect to a compromised server. The attacker may take control of a user’s device or gain a foothold in the system to maintain persistent remote access.
These vulnerabilities allow an unauthenticated adversary to pull off remote code execution on a server running RDS. These flaws can also be used to create computer worms – malicious code that autonomously replicates itself to other devices on the same network. In plain words, these vulnerabilities can put the whole enterprise network at risk. The only rescue is to apply software updates with patches once they are available.
Remote Desktop Protocol Remote Code Execution Vulnerabilities. An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could read or tamper with clipboard contents and the victim’s filesystem contents.
III. Uniondale Ransomware Attacks
Uniondale School District is located in Uniondale, NY and is comprised of nine different schools: California Avenue School, Grand Avenue School, Northern Parkway School, Smith Street School, Walnut Street School, Lawrence Road Middle School, Turtle Hook Middle School, Uniondale High School and Cornelius Court School. As of the 2023 school year, 6523 students are enrolled in Uniondale School District.
On April 17, 2023, Uniondale was added to Medusa’s leak site with some files leaked and a threat to leak more data on April 26th. They offered two options of payment: the school district could pay $1,000 to add one day to the deadline, or they could pay $1,000,000 to delete all the data either or download all the data. The listing included more than a dozen files as proof of claims, including students’ personal information (grades, photos, income forms of parents, etc.) as well as personnel information. No other information about this incident has been released so far.
IV. Pineland Ransomware Attacks
Pinelands Regional School District is a public school district located in Little Egg Harbor, New-Jersey. The district contains two schools and 1,580 students in grades 7-12.
On April 17, LockBit claimed to have 64GB of data with plans to dump on April 18. The screencaps provided as proof included an image of a directory that would likely contain a lot of personal information on both students and personnel (233 GB). LockBit’s listing did not indicate what their ransom demand amount was.
Neither Pineland Schools’ nor Uniondale’s website appeared to have any notice about an impending incident.
VULNERABILITY PROTECTION SETTINGS
After conducting a thorough analysis of vulnerability protections across top vendors, we have found that the default out-of-the-box profiles for most of these protections are set to block, providing a sense of security.
However, our research revealed that:
- In 25% of IPS setups, all vulnerability protections intended to block the above-mentioned attacks are set to either inactive or allow (detect) mode, regardless of their default status. This means that for unknown reasons, the protection activation status was manually changed.
- 36.3% of organizations have experienced one of the cyberattacks from the above list, which could have been prevented if the relevant protection had been enabled.
In addition, after analyzing the tactics and techniques employed by Medusa in recent attacks and comparing them to standard security configurations and mitigations, the results are, again, concerning:
T1078 Threat actors use brute-force password guessing for RDP services to gain initial access to the victim’s network.
T1133 Threat actors exploit vulnerable RDP services in the victim network to gain initial access.
64% of hosts and servers are exposing RDP to the internet
T1059.001 Command and Scripting Interpreter: PowerShell MedusaLocker ransomware typically consists of a batch file and a PowerShell script. When the batch file is executed, it calls the text file and runs the PowerShell script in the text file.
T1047 uses Windows Management Instrumentation command-line utility (wmic) to delete volume shadow copies to prevent victims from recovering their encrypted data.
55% of vendors found Medusa payload malicious
T1547 Boot or Logon Autostart Execution- executes the ransomware at system startup by adding registry entries.
T1078 Uses brute-force password guessing for RDP services.
52% of vendors found these actions malicious without the need of advanced behavioral detection systems.
T1110 Brute Force Threat actors use brute-force password guessing for RDP services.
The top RDP passwords used are: Password, P@ssword & admin
Command and Control
T1105 uses certutil.exe to transfer files from its command-and-control server to the victim’s network.
38% of vendors found the known Medusa IoCs malicious
TAKING THE PROACTIVE APPROACH
As cyber threats become more sophisticated, organizations can no longer afford to take a reactive approach to security. The Pineland and Uniondale attacks highlight the importance of implementing a comprehensive security strategy that includes preventative measures. However, many organizations are hesitant to harden their security defenses (e.g., switch vulnerability protections to block mode), fearing that doing so may cause unintended downtime and negatively impact business operations. To address this challenge, organizations should continuously and automatically assess their security configurations and correlate them with security logs and alerts to ensure that they are properly secured, while minimizing the risk of downtime. By prioritizing proactive security measures, organizations can better protect themselves from potential threats without sacrificing business uptime.
Veriti is a consolidated security platform that integrates with the security stack to continually and proactively monitor exposure to threats and remediate security gaps across the organization’s infrastructure.
Using machine learning algorithms, Veriti automatically analyzes threat configurations and correlates them with sensor telemetries, security logs, and threat intelligence feeds to provide contextual, actionable insights that:
- Remediate security gaps and misconfigurations proactively before they are exploited.
- Optimize security controls to address immediate risks without impacting business applications.
- Identify security controls impacting business applications with related IT malfunctions and help security teams quickly analyze scope and remediation options.
Veriti’s solution platform helps organizations to maximize the value of their security investment proactively without impacting business operations. Its configuration-aware approach enables security teams to optimize security controls to address immediate risks and amplifies their efficiency. It enables quick analysis of scope and remediation options. Additionally, Veriti provides complete visibility into the entire security stack, allowing for a more comprehensive understanding of the overall preventative maintenance level and active vulnerabilities.