Advent, Advent, the school is “burning”! [Part 1]

Dear readers, just like every year during Advent, we – by which I mean InfoGuard as a reliable cyber security partner, myself as a family man and my team (CSIRT) as our “fire brigade” – look back on what we have been motivated by this past year. What have we achieved? What could we have done better? What have we been affected by on a personal level? That is why this year, I want to tell you a cyber Advent story that happened very recently, and to fittingly quote a directing duo (I’m a big fan of the Cohen brothers): “This is a true story. The events depicted took place [in Baar in 2022]. At the request of the survivors, the names have been changed. Out of respect for the victims, the rest has been told exactly as it occurred”. Have fun reading it!

It was the luck of the draw. It was the autumn half-term holidays when Winterstadt School contacted us in mid-October. All of their systems had been encrypted, nothing was working. The students were somewhere on a beach in Italy, and the teachers were using the time to prepare for classes that would soon be back in school. Not exactly the busiest time at a state school, but all the same, it was a serious situation.

LockBit 3.0 the world’s fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don’t pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don’t hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

We did exactly what we always do in this kind of situation – establish visibility. At InfoGuard, we do this by rolling out a forensic agent, which enables us on one hand to monitor the systems, and on the other hand to hunt for the attackers’ tracks. The aim in doing so is to establish the point and date of entry into the system, along with ensuring that the attackers are no longer within the network. Alongside the rollout of the agent, we discuss the different strategies for restoring operations with the customer, and examined all the options: does it need to be paid or should it be paid? What data can be restored from a backup? There are additional questions such as: Has data been exfiltrated? Has sensitive data been affected (student assessment reports, teachers’ performance reports, address lists, etc.)? And many more points…

A (non-) lucrative business: cyber-attacks on schools

For the reasons we have given, after having consulted with the client, we always start negotiating with the attackers at a very early stage. This way, we keep open the option of paying – although we generally advise against it, unfortunately it is sometimes unavoidable – and it enables us to ascertain what the attackers are asking for and whether they actually are in possession of the stolen data.

In this case, we contacted what is known as the “affiliate” (the customer of the Ransomware-as-a-Service provider, in this case “Lockbit 3.0”) via chat, using the TOR browser (Darknet). Personally, I was particularly interested in why an affiliate would encrypt a state school in the first place? After all, a school neither has a turnover nor makes any profit – basically, there’s nothing to be gained from it.

What do you think? Have you got any ideas? Find out the answer in the second part of our three-part cyber Advent story.