Читать книгу Cyber Mayday and the Day After - Daniel Lohrmann - Страница 18

It was Thursday, July 25, 2019, the day after Louisiana's governor declared a state of emergency following ransomware attacks on multiple public school districts in their state.⁴ It was near the end of a particularly busy week, when the CYCOM hotline rang – never a good thing, as it generally meant that summer weekend plans would be replaced with handling an active incident.

New York's CIRT team responded to a call from the IT director of Lansing High School in Ithaca, reporting the presence of Ryuk ransomware on the school's IT infrastructure. The next call came from the school district in Watertown. They too had suffered a ransomware attack. A similar attack crippled the Syracuse city school district's computer system. Over the next days and weeks, calls were fielded from multiple school districts across New York State.

The Rockville Centre school district on Long Island was hit with Ryuk ransomware. They later paid almost $100,000 in ransom to restore their data; the school's insurance policy covered the payment. The same ransomware hit a neighboring school district in Mineola. They were able to restore data from backups taken offline over the summer and to rebuild the network.

The New York State Education Department notified all districts about the cyberattacks and coordinated the response to the incidents in affected educational agencies with the assistance of the State Office of Information Technology Services, CYCOM, and other state cybersecurity teams, including the State Intelligence Center, Division of Homeland and Emergency Security Services, and the Multi-State Information and Analysis Center (MS-ISAC). Briefings with the New York State Department of Education and 11 Regional Information Centers (RICs) ensured that everyone had current information and focused support. The attacks were investigated, and the affected agencies recovered and implemented processes to mitigate recurrence.

All told, the New York State Department of Education reported that 16 school districts and one Board of Cooperative Educational Services (BOCES) had been compromised with ransomware.⁵ As a precaution, the Education Department directed its regional information centers and big five school systems – Buffalo, Rochester, Syracuse, Yonkers, and New York City – to take the state's data warehouse offline to scan for malware and vulnerabilities.

The state's cohesive cyber disruption and incident response protocols worked well, enabling coordinated analysis and reporting and communications – essential in dealing with multiple and fast-moving attacks. A big win in this particular situation was a tool the CYCOM team developed to identify compromised domain controllers. Based on intelligence and high-confidence observations drawn from onsite and forensics analysis across multiple incidents, the team identified a consistent step in the multiphase attack taxonomy – how attacks unfold and work. Detection and intervention at this critical point in the sequence effectively disrupted the launch of damaging ransomware. The tool was shared with the Education Department, RICs, state universities, and other government entities to help proactively detect and defend against further attacks.