Cyber Attacks and Ransom Demand

The Police have advised us that there has been a recent increase in Ransom Malware attacks, particularly against schools and educational establishments, that target a weakness within remote desktop protocols (RDP). The latest strain attacks the back-up server as well as the active servers, resulting in there being absolutely no back-up facility or opportunity for restoration. This obviously causes a major loss of data and course work that cannot be recovered.

In order to prevent and deflect the number and intensity of these attacks, the Police have provided some measures that can be taken to ‘system harden’ your ICT infrastructure.

1. Stop using highly privileged accounts for normal day to day use. Every user, including IT staff, should use a standard account that is not allowed to make changes to client or servers, and is only allowed to access file shares which they need to access to do their job on a daily basis. If you do get compromised, this will limit the scope of the damage caused.
2. Do not allow any highly privileged accounts to log in via remote access, including RDS or Outlook Web Access. Privileged accounts should not have an email address associated with them, and the username or password should never be entered on the Internet. IT staff can log in with their standard account, then only use their privileged account only when they need to make a change. This will prevent privileged account credentials from being compromised online, and should an attacker obtain credentials, they would be unable to log in remotely.
3. Review your account password policy and account lockout policy. Enforce complex passwords, and enforce that they are changed every 30 days. Lock out accounts after 3 incorrect password entries. This will prevent brute force attacks on your user accounts. If an account is being locked out unexpectedly, investigate the cause.
4. Use a separate account for administering client devices that does not have permissions to modify anything in your Active Directory domain, is not permitted to access your servers, and cannot log in via remote access. If a client device has been compromised and is sending credentials back to an attacker, this will minimise the risk that highly privileged accounts are compromised.
5. Ensure you have a set of air-gapped backups - backups that cannot be altered by logging on to your systems. Consider using Tape or Veeam Cloud Connect. If your systems are compromised, this prevents attackers damaging all of your backups.
6. Use Group Policy to prevent executables being run from users own folders or temporary locations.
7. Ensure any public facing remote access system includes a 2 factor authentication.

If you would like to discuss any of this further, please contact your Area Education Officer: