In December 2017, the Rockingham County School District suffered a malware attack that prevented machines from being able to connect to the school’s network. The attackers had successfully infected the machines with the Emotet trojan malware. The Emotet trojan was capable of injecting itself into software modules and the network stacks in the machines. The trojan could then distribute additional banking trojans, and use the system as a base for conducting distributed denial-of-service (DDoS) attacks on other systems that are part of the network and also steal personal and financial information.
The administration of Rockingham County School District has however stated that no data had been breached or personal information had been stolen in the malware attack. This is actually good news. Misuse of stolen personal and financial information can have severe repercussions. Further, the infected machines can be used by the malicious actors to perform DDoS attacks, and the user/owner of the system would not be aware of the malicious activity.
How the Infection Took Place
Threat actors had sent fraudulent emails to employees at the district’s Central Office, Bethany Elementary, and Western Rockingham Middle School. The email seemed to come from Rockingham County School District’s antivirus provider, making it look trustworthy. This email induced/tricked users to open a Microsoft Word document that contained the Emotet trojan, and this action infected the machine.
The Rockingham County School District administration states that payroll and social security information had been stored on a server that had not got infected, and hence the data was safe. They report that the antivirus solution prevented the malware from spreading to other systems, which prevented more damage.
The Emotet Trojan Malware
The Emotet is a sophisticated malware. Cyber security experts state that removing Emotet from infected servers and other machines would be difficult. The malware can maintain a low profile for a specific period before activating itself. Emotet embeds itself in the system and it is quite difficult to remove.
The district administration had asked teachers and staff to leave back their systems during the winter break to get them cleaned of malware.
Implications of the Emotet Infection
An effective antivirus solution would have stopped the Emotet malware attack from infecting the machines. However, many servers and machines had got infected, and they had to be cleansed of the malware. The administration has initiated a large cleanup process to repair and rebuild 20 servers. The complete cleanup process would cost $314,000. Some machines seem to be irrecoverable, and hence replacement machines would need an additional investment of $834,000.
Mitigation Measures
The district is also recommending employees and students to check all the devices that they may have connected to a school device. They have asked people to change their password, in case any login credentials or emails had been stolen.
The Rockingham County School District, with an intention to shift to an effective antivirus, endpoint security or cyber security solution, has entered into a $314,000 service contract with Georgia-based technology solutions provider. It will also cover virus mitigation services offered by the provider. The complete package includes on-site imaging for 12 servers and 3,000 client systems, and service of 1,200 onsite repair hours. The cleanup is expected to be completed within a month.
Prudent Security Measures
The cost of the cleanup process and the replacement machines could have been avoided with a robust and effective solution such as Comodo Advanced Endpoint Security and Comodo cWatch Website Security to secure endpoints, websites, servers and applications from malware threats, zero-day vulnerabilities, DDoS attacks, and brute-force attacks. The Rockingham County School District administration must also ensure effective website protection, as servers and computer systems can succumb to persistent malware attacks.