The best way to ensure that an educational institution can respond quickly and effectively to a ransomware attack and minimize any chaos and confusion that accompanies such incidents is to have an incident response plan in place to outline the procedures to be followed after ransomware has been detected. In this posting, we discuss two threshold questions that educational institutions should address in their ransomware incident response plans:
(1) Who is responsible for making key decisions?
(2) What action items need to be addressed in the first 24 hours after discovery of the ransomware incident?
Who Is in Charge?
Decentralized leadership is a hallmark of educational institutions. While a superintendent is generally the public face of a school district, he or she is often unable to take certain actions without the approval of the school board. Similarly, university presidents often delegate decision-making authority to the chief information security officer (CISO) and other individuals.
In the event of a ransomware incident, there are several decisions that need to be made quickly: decisions about, for example, which outside vendors to engage, whether to pay a ransom, and how to communicate about the incident to the campus community. Because of this, it is imperative that educational institutions have an incident response plan that identifies the “incident response team.” In addition to clearly defining the responsibilities of each member of the incident response team, an educational institution’s incident response plan should clearly identify who has the authority to make key decisions. In the case of a university, for example, the incident response plan needs to identify how a decision about whether to pay a ransom is made. Does the general counsel or CISO have authority to approve a ransom payment? Or does he or she need to obtain approval from the university president or board of trustees before authorizing such a payment? Educational institutions are well served to answer questions like these before a ransomware incident occurs so they can avoid confusion and act quickly and decisively in the heat of the moment.
What Are the Day One Action Items?
There are several action items that educational institutions should address in the 24 hours immediately following the discovery of a ransomware incident. These day one action items include:
Conducting an Initial Impact Assessment. The educational institution should conduct a preliminary impact assessment to determine which systems are encrypted and what impact that will have on the institution. Is the institution able to continue educating its students? Will it be able to make payroll? Is there a concern that the threat actor may have accessed or stolen sensitive or personal information?
Containment. The institution should attempt to identify the encrypted systems and determine whether it should take other systems offline to prevent the ransomware from spreading throughout its environment.
Engaging Outside Vendors to Assist with the Incident Response Process. After performing initial triage measures and an impact assessment, the educational institution should report the incident to its cyber insurance carrier, if applicable, and engage outside vendors to assist with the incident response process. These vendors include external legal counsel, a forensics firm and potentially a firm to facilitate ransom negotiation and payment. It may also consider hiring an outside firm to assist with system restoration and/or a crisis communication firm.
Restoration Planning. The educational institution should assess the viability of its backups and begin analyzing whether it will be able to restore its systems without purchasing a decrypter from the threat actor.
Preservation of Evidence. Even if backups are viable, it is imperative that an entity impacted by ransomware is preserving all relevant forensic evidence prior to beginning restoration efforts. If such evidence is destroyed, it will be exceedingly difficult to determine how the threat actor gained access to the environment, and may significantly impair counsel’s ability to complete an analysis of an institution’s legal obligations. If the entity cannot identify and eliminate that access point, it will remain vulnerable to ransomware attacks.
Communications. In the event of a ransomware attack, educational institutions should identify the constituencies that will be immediately affected by the incident (i.e., students and faculty) and prepare drafts of proactive communications to those groups, as well as a reactive holding statement for the media. Ideally, educational institutions should consult with legal counsel before making any internal or public statements about the incident.
What Are the ‘Crown Jewels,’ and Where Are They Kept?
One of the primary questions that educational institutions need to answer following the discovery of a ransomware incident is whether the threat actor stole personal information or student data. Among other things, the answer to this question often dictates the nature and extent of the educational institution’s resultant legal obligations. If the answer is yes, such institutions need to identify what data the threat actor stole. Depending on the sensitivity of the data (e.g., personal information about students or CUI), the educational institution may consider paying a ransom to prevent the threat actor from publishing such information on the dark web. Likewise, depending on the nature of the data that the threat actor accessed or took, the educational institution may be required to provide initial notice of the incident to the DoD, the Department of Education or a European data protection authority as soon as 72 hours after discovering the incident. It must be noted, however, that the payment (or non-payment) of a ransom has no bearing on the educational institution’s legal notice/reporting obligations.
It often takes several days, if not weeks, before the forensic investigation is complete and the impacted educational institution is able to identify the files that the threat actor potentially accessed or stole from its systems. However, if the educational institution can identify the systems in which its most sensitive information is stored, those systems can be prioritized to be analyzed early in the forensic investigation in an effort to determine whether they were impacted by the ransomware attack. Given the difficulty of taking inventory of the nature and location of sensitive information after a ransomware attack occurs, educational institutions are well advised to regularly perform this analysis in preparation for such an incident.
*** In the third installment of this series, we will discuss the legal obligations that educational institutions often face in the aftermath of a ransomware attack, and how educational institutions can put themselves in the best position to comply with those laws.