On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms, North Carolina’s new law actually goes so far as to prohibit a public entity from even communicating with threat actors in response to a ransomware incident. The law also requires any North Carolina public entity that experiences a ransomware incident to “consult with” the North Carolina Department of Information Technology, in accordance with G.S. 143B‑1379.
In 2021, BakerHostetler handled more than 1,270 matters that involved data security incidents such as ransomware attacks. (See 2022 BakerHostetler Data Security Incident Response Report.) Twelve percent of those matters were for clients in the education sector. The average ransom demand was over $1.5 million, and the average amount paid reached nearly $200,000.
North Carolina’s new law specifically includes local school administrative units, community colleges and The University of North Carolina in the list of public entities prohibited from paying a ransom. Accordingly, North Carolina public schools impacted by ransomware are no longer permitted to purchase decryption keys, pay threat actors not to publish on the dark web information stolen from school servers, or even engage in communications with threat actors to gain intelligence about the nature and scope of the incident.
Ideally, given that public schools (and other entities) in North Carolina are no longer permitted to purchase decryptors from threat actors that encrypt their systems with ransomware, said threat actors will not waste their time and energy directing cyberattacks at North Carolina schools. Unfortunately, we all know that will not be the case. Therefore, it is imperative that North Carolina public schools take proactive steps to make sure they are in the best position possible to prevent a ransomware attack from happening or, if it does happen, to be able to recover without having to rebuild their entire server environment.
To that end, below are some key tips that schools should consider:
- Because schools often have limited resources to expend on cybersecurity, they should know where the crown jewels are and prioritize protecting and backing up the most critical systems and data.
- Speaking of backups, schools should make sure that backups are performed regularly and are stored in such a way that they would still be accessible in the event of a ransomware attack.
- Implement multifactor authentication wherever possible and especially on remote connections, including email.
- Deploy endpoint detection and response tools on school-managed devices and endpoints, and make sure that the endpoint telemetry is monitored on a 24/7/365 basis.
- Develop an incident response plan that sets forth manual workarounds to avoid disruption in operations in the event a ransomware incident occurs and systems and data are unavailable.
Proactively addressing cybersecurity risks is the only option for North Carolina schools. If a school or other public entity in North Carolina becomes a victim of ransomware, it won’t be able to pay for a decryption key. To avoid the loss of important data and the interruption of classes and other programs, schools should prioritize cybersecurity now.