Professional Learning

Hear Ransomware Victims Describe the Response & Recovery Lessons Learned at Virtual Event for IT Practitioners

Free Webinar by K12SIX Scheduled for Aug. 16

• By Kristal Kuykendall
• 08/03/22

School cybersecurity nonprofit K12 Security Information Exchange is holding a free professional development webinar for education sector IT practitioners on Aug. 16, featuring an extended case study of Northshore School District’s response and recovery work following a crippling ransomware attack targeting the Washington district in 2019.

The webinar, “The Long Tail of K–12 Cyber Incident Response and Recovery,” will include a discussion of recovery best practices, “with a special focus on the long-term work of incorporating lessons learned” from Northshore School District network operations manager Jon Wiederspan and network security engineer Alexander Delgadillo, and moderator Doug Levin, national director at K12SIX.

The State of K–12 Cybersecurity Year in Review report released in March by K12SIX revealed that ransomware has become the most common type of publicly disclosed cyber incident at U.S. schools, as increasingly aggressive tactics by threat actors drive the stakes higher. Last year, said the report, the 62 ransomware incidents disclosed by K–12 schools in the United States made it the most frequently disclosed cyber incident type for the first time since the K12SIX Cyber Incident Map began collecting data.

“While the actions a school district takes in the hours and days following discovery of a cyber incident are critical, the job of cyber incident recovery isn’t complete until steps are taken to prevent similar incidents from recurring in the future,” K12SIX said. “This work often involves close coordination with district leadership, across departments and divisions, often with those who are not IT experts.”

According to the IST Ransomware Task Force, recovery from ransomware attacks lasts an average of 287 days, even when the victim organization believed it had secure backups in place prior to the attack. Such was the belief at Northshore School District, and it turned out to be misplaced confidence, according to an interview published last year with one of the district’s systems administrators, recounting what happened in the early hours after the attack.

“The cybercriminals deployed the Ryuk ransomware against the school district, which relied on a datacenter of 300 Windows and Linux black box servers. The district also managed 4,000 staff members’ devices, including Windows, Mac, and Chromebook workstations, along with many iPad tablets,” wrote David Ruiz in his MalwareBytes interview with Northshore’s Ski Kacaroski.

“Shortly after logging into his employer’s VPN and poking around, Kacaroski learned that the server had been hit with ransomware. He saw one, unencrypted file — a ransomware note from the threat actors — and countless .ryuk file extensions nearly everywhere else.”

Eventually, an FBI investigation revealed that the initial breach of the district’s networks had begun months earlier, and between then and the ransomware attack, three different groups of hackers had access to the district’s network, with each group ramping up attack tactics and gaining more control over the district’s servers, the report said.

Along the way, valuable lessons were learned about what to do — and what to absolutely not do — and those insights will be the topic of the K12SIX webinar, said Levin.

The webinar aims to complement the new K12 SIX Essential Cyber Incident Response Runbook, a free template guiding public schools through the creation of a cyber incident response plan.

The event, which begins at 2 p.m. ET on Tuesday, Aug. 16, will include a question-and-answer session with the Northshore network managers.

Learn more at K12SIX’s event page or register for the webinar here.