Local school server hit with ransomware

Forums › IT Pro and developers › Local school server hit with ransomware

maoriboy

1034 posts

Uber Geek
+1 received by user: 562

Trusted

#258691 16-Oct-2019 08:24

Not sure if this is the right forum for this so please move if not correct..

Freyberg School in Palmerston North

School servers hit with ransomware

"The expert's best guess for how the hackers broke into Freyberg's servers was that they exploited a temporary password used by contractors hired by the Ministry of Education to carry out a recent systems upgrade."

Bit of a whoopsie there. Goes to show, your security is only as strong as the weakest link.

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2337921 16-Oct-2019 08:29

IME (and I've seen a lot of ransomware'd systems lately), they try blaming it on someone leaving an account enabled etc, but when its actually looked into, it turns out someone got an email with a dodgy attachment and well... you know the rest.

Its not "hackers" - its generally script kiddies.

How did they trace it back to china ? Just because the email address in the ransom is located there ?

Even with "experts" checking it and saying it was an RDP attack, the IT co. was prob asked not to say it was an email attachment because it'll make the school staff look stupid.

XPD / Gavin

LinkTree

billgates

4705 posts

Uber Geek
+1 received by user: 671

Trusted

#2337922 16-Oct-2019 08:38

RDP attacks are possible and I have seen it first hand with a company that got hit by ransomware. RDP open to outside world on default port, AD password is 'password or 123', RDP into server and do what you feel like.If it was an RDP attack then it should make them feel more stupid because

1. Why leave RDP open on default port to open work without using RDS gateway or at the very least change default RDP port or force everyone to VPN first into school network from offsite and then RDP with the default port on local IP

2. Why implement a simple/weak password policy.

This is what happens when you get the school vice principal or a teacher who is good at connecting iPad's to WiFi also do CTO duties and make decisions.

Do whatever you want to do man.

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#2337923 16-Oct-2019 08:39

This is why school's shouldn't have an "IT guy" to run the system.

And although it's a pain in the ass, just role back to your last backup and only lose the days work... riiiight?

K8Toledo

1018 posts

Uber Geek
+1 received by user: 311

#2337939 16-Oct-2019 09:04

Stuff news - prob best taken with a truckload of salt. :P

chevrolux:

This is why school's shouldn't have an "IT guy" to run the system.

And although it's a pain in the ass, just role back to your last backup and only lose the days work... riiiight?

I personally think it's OK if the IT guy can escalate issues.

Couple high schools up where I am employ a semi-regular IT guy for the mundane tasks, he has support from an outside contractor.

Edit:

I just remembered one of the IT guys is a student.... lol. Much of his time is spent fixing Chromebooks

nitro

757 posts

Ultimate Geek
+1 received by user: 335

#2337966 16-Oct-2019 09:59

xpd:

IME (and I've seen a lot of ransomware'd systems lately), they try blaming it on someone leaving an account enabled etc, but when its actually looked into, it turns out someone got an email with a dodgy attachment and well... you know the rest.

Its not "hackers" - its generally script kiddies.

How did they trace it back to china ? Just because the email address in the ransom is located there ?

Even with "experts" checking it and saying it was an RDP attack, the IT co. was prob asked not to say it was an email attachment because it'll make the school staff look stupid.

my bet would be on this.

if the contractors 'who carried out a recent systems upgrade' actually left that 'temporary password', they shouldn't be in business.

pros worth their name should and would (normally) be well aware of these things. however, as secure as you can get your environment to be, you can't really completely guard against that click on a link from an email.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2337997 16-Oct-2019 10:18

There is a difference between file shares on a server being encrypted, and the server itself is compromised and with due respect, who cares, it's an easy restore if it's just some file shares. What is much more of an issue, is the server OS itself being compromised which shouldn't be possible from any workstation.

Clicking a link on an email likely results in file shares being encrypted, this isn't as big of a deal.

AliExpress

Shop now on AliExpress (affiliate link).

1101

3141 posts

Uber Geek
+1 received by user: 1143

#2338018 16-Oct-2019 11:23

"The expert's best guess for how the hackers broke into Freyberg's servers...... "

in other words no one knows .
Just tell them something (anything) , then move on & fix it ?

K8Toledo

1018 posts

Uber Geek
+1 received by user: 311

#2338031 16-Oct-2019 11:38

The school hired information technology security experts to assist the school's technician investigate the hack and shore up the schools cybersecurity.

You'd think the school would do this before refusing to pay, not after.