Cybersecurity Part 4: Surviving Ransomware


By Tony DePrato | Follow Me on LinkedIn

The scope of all the following arguments is for equipment owned by the school, or equipment approved to use at school. This post is not promoting policies for personal devices used solely at home, nor is this post addressing devices that may be used for entertainment or non-academic purposes.

Ransomware, in its most basic form, is self-explanatory. Data is captured, encrypted, and held for ransom until a fee is paid. The two most common forms of ransomware delivery are through email and websites.~

Ransomware is scary. Ransomware, once it begins to propagate, becomes more about survival and mitigation and less about prevention.

I have thought about how to advise K12 schools around the world how to prepare for ransomware. I have concluded that there are only two approaches everyone can follow: Reduce or Completely Remove Windows and Create Very Inconvenient Backups of Data. 

Reduce or Completely Remove Windows

I decided to compile known types of ransomware. I stopped at 106 identified types. Here is a graph, and link to the sources, that demonstrate what operating systems are vulnerable:

Screen Shot 2020-02-19 at 8.58.44 AM

Data Link

If you want to do the math:

  • 106 Ransomware programs
  • 100 Target Windows Operating Systems
  • 93%-94% of Targets are Windows Operating Systems
  • Using Windows is Riskier than Using other Systems

“Riskier” is a little weak in this case. It is very likely that Windows users will be a target, it is very unlikely that Apple and Chromebook users will be a target.

If the goal is to live in a relatively peaceful ransomware free environment, then the majority of end-users need to be using Apple or Chrome-based devices (Linux varieties are also an option for a subset of users).

There are tools for Windows that help defend and protect against ransomware. However, nothing is better than not being attacked at all.

Create Very Inconvenient Backups of Data

Every time I ask an IT director or IT manager about backups, they claim they are 100% compliant and 100% able to deal with any problems. I have never believed my planning was close to 100%, nor have I ever believed I could restore 100% of all data. I would say, at my best, I am 60%-70% certain that I can restore 80%-90% of data.

Data. Not operating systems and settings. Data. Not the software that was installed. Just all the data consisting of but not limited to documents, databases, movies, music, pictures, special configuration files, scripts and code, and the inclusive content of all websites.

There is only one question a person needs to ask to confirm if backups are safe from ransomware: “Can the backup be accessed right now if we need it?”.

If the answer is ‘Yes’, then backups are going to be vulnerable.

There should be at least two layers of backups. Layer one can be data that is backed-up and accessible on the network, in the cloud, and/or from normal workstations. Meaning, someone can sit down and create or restore a laptop, database, etc by following a workflow at their desk.

Layer two backups are inconvenient. These backups are stored outside of the normal network. These backups are scheduled and not even accessible by network administrators without taking extra steps. These backups require some level of multifactor authentication or even a physical lock and key.


Layer two backups also need to be tested at least monthly (this is only recommended for K12 schools most businesses need to test more frequently; school districts would need to test very often and on a predetermined schedule).

Tests need to include:

  1. Data restoration
  2. Data access and use
  3. A scan for malware, ransomware, etc
  4. An iterative process to consistently reduce the size of backups
  5. An archival process to store data that will most likely never be needed, but is legally required to store
  6. Imagination. Because you never know where you will be and what the situation will be when you need to access these backups

A very low tech approach to a layer two back-up could include someone taking an external drive to the data source, moving the data manually, and then locking the drive in a safe. Do not overthink this, just start doing it and keep improving the process. If you can access these backups from your workstation, then those backups are vulnerable by definition.

If ransomware happens, and the data cannot be decrypted, this layer two data would be safe as it would be offline. Layer one backups may stay secure, but layer two backups will be secure unless you are victim of very bad timing.

The cybersecurity industry is rapidly developing better protocols for handling ransomware. Staying educated and studying cases is not only essential, but it should also be scheduled into the cycle of work at least once every 6-8 weeks.

The data above could change. An uptick in ransomware for Chrome or Apple of even 1% is enough to review internal processes and procedures. Until then though, get the number of Windows OS users down and make better backups.

businessman hand holding money banknote for paying the key from

Start Your Research Here

Ransomware: Best Practices for Prevention and Response

If You Don’t Have Electricity, You’re Gonna Have a Bad Time

By: Tony DePrato | Follow me on Twitter @tdeprato


Many schools are still self-hosting the majority of their information systems instead of using cloud-based solutions, co-location solutions, or data centers offering more traditional hosting.

The question has to be asked, are these schools taking the proper steps to protect their data, their systems, and the integrity of their entire architecture?

Recently, my ITBabble co-host Patrick went to a fairly popular tech conference and stumbled upon two schools that are regularly affected by power outages in their self-hosted data centers. These schools reported to Patrick that they did not only have power failures, but lacked business continuity plans.

Without a business continuity plan (BCP), business operations come to a halt when power outages happen. For example, if accounting and payroll systems are offline, employees would not be paid on time. In some states, this BCP failure would result in the school receiving a fine for missing payroll.

After hearing this story, I decided to write a couple of blogs posts focused on risk management.

Systems Need Electricity

If your school is going to host any core system internally, then the school needs to plan for power outages. There are very few places in the United States immune to power outages. I compiled and condensed a spreadsheet to demonstrate how common outages are based-on 2017 data. The spreadsheet below represents this data.

Link to Spreadsheet:

Link to Original Data Source:

Since the data is available for previous years, those who are self-hosting should download the historical data and confirm the median number of minutes per year their region is impacted by power outages. They should also find the median amount of time per outage they are impacted.

From that analysis, a school can determine what their requirements are to be reasonably prepared for a power outage.

Being Reasonable

Risk management does not require a school to prepare for a threat that is historically unlikely to occur. For example, and school in Utah would not draft a plan for a hurricane.

In the official data, power outages are reported by state and by provider. If a school determines their median value and frequency is 60 minutes 3 times a year, then they need to ensure all their critical systems can run for 60-120 minutes when the power is out. This is enough time to shut everything down and protect system integrity. However, it is not enough time to execute a complex process like payroll.

If a school is internally running services like payroll, I would suggest the power backup standard be set to the task execution time, of the most critical task. For example, if payroll takes 4-5 hours to complete every Friday, then the systems needed for payroll need to be powered for 4-5 hours in the event of an outage. This often means the majority of the core infrastructure needs to also be up and running for 4-5 hours.

Supporting the Business Continuity Plan

Aside from setting-up backup power systems and standards, here are some tasks that the IT department should be completing (or overseeing) to support the overall BCP in the event of a long term power outage:

  1. Creating hard copies of core demographic data for all students, parents, and employees
  2. Creating hard copies of all schedules, including after school programs and transportation
  3. Creating hard copies of phone lists (phone trees)
  4. Organizing all hard copy backups into folders that are available in multiple locations; shredding outdated documents
  5. Creating portable backups of data needed for core school operations; this includes a full backup of all databases in at least two formats
  6. Testing all electronic backup systems responsible for power and data backups
  7. Connecting with a similar school, and forming a good relationship, for additional tech support when emergencies happen; this should be symbiotic
  8. Contracting and maintaining a portable 4G-5G router for ad-hoc network deployment
  9. Building an offsite data backup system that is immune to any local threats; this data can be compressed
  10. Annually reviewing all risk management policies and procedures with a team from every major department

If a school is self-hosting, they should be mostly immune to power outage threats with proper planning.

If the equipment needed to provide backup power is not available, or simply too expensive, then reconsidering cloud services would be the next step in mitigating future problems.


BackUp to Fail or BackUp to Win

On a very regular basis, I deal with dead or dying harddrives, USB devices, and other forms of storage media. Many times I am helping rescue or repair a drive that has been used for backing-up another drive.

In most cases, the majority of unique or essential items are only a small percentage of the total number of items on the drive. I always find copies and copies of photos, music, movies, documents, etc. The organization of the backups seems to be very random, undated, and definitely not pruned.

I could rant about using software like Timemachine or Carbon Copy Cloner to create smart backups. I could explain that legally purchased media is usually retrievable from the source of purchase if you lose it. I could review the steps to create offline backups (DVDs, CDs, etc) that contain critical data needed for accessing things like online banking and legal documents. However, no one will listen. People do not listen because it is too convenient just to connect a drive, and drag-and-drop everything onto it.

If photos, documents, media, and whatever else you might own are critical, then steps need to be taken to show some care and consideration for maintaining these items. In my opinion, the best way to do this is to stop managing a pit and start investing in a storage container.

Normal harddrives fail. SSD drives can be corrupted. Small USB drives can have a simple electrical problem that renders them useless. Therefore the best investment, is to invest in the cloud instead of a device, or set of devices, that are going to fail.

If you choose a service like Google Drive, you will pay $50.00 USD a year for 200 gigs of storage. Now this storage is only used when you upload things. It is not impacted when you create something within Google Drive. 200 gigs is 1000s of photos, documents, music, and those annoying cell-phone camera movies no one wants to watch more than once. Google Drive works on every operating system, iOS, and Android.

Services like Google Drive are live and on-demand. This means the files are not compressed and you can access them immediately. If you want to be more frugal you can go with a backup service that compresses your data. Services like Carbonite are usually $50-$75 USD a year and have unlimited storage. The downside is the data will be slower to access and restore, but the price is great.

Remember you always pay more for speed and/or convenience.

Both types of cloud-based backups do their jobs in the background. They sync new files, and update only things that have been changed. This means if you have to restore your files, you will only have the most current versions.

In fact, when you begin to use cloud-based storage, the first thing you have to do is critically look at your data and decide what is important. Most people realize that they have more junk than gold. They look in the mirror and say, “I am a virtual hoarder, and I need to stop!”.  Overall using the cloud for storage is more efficient and safer than trying to carrying around some external backup that is…

Born to Fail
Born to Fail


Tony DePrato