Risks continue to grow for small organizations’ IT infrastructure

As small businesses, nonprofits and governmental entities become ever more dependent on their IT infrastructure, they all become targets for viruses of all types

The recent cyber attack on the town of Greenland’s IT infrastructure involving the so-called CryptoLocker ransom malware has highlighted the vulnerability of small organizations – municipal and otherwise – to such breaches.

Greenland Town Administrator Karen Anderson told the Portsmouth Herald the computers became infected Dec. 26, after an employee inadvertently opened the malware, which was contained in an email attachment. The email purported to be from AT&T and said that the employee had received a voicemail.

CryptoLocker targets small organizations by encrypting a user’s hard drive, effectively putting all photos, documents and other data under lock and key, unless a ransom is paid within a certain amount of time.

For a brief time last April, the Salem School District lost its IT infrastructure due to a computer worm that had infected up 80 computers and 2,000 workstations.

While the common computer worm, known as “Vobfus,” that attacked the Salem computers was well known in the larger IT community, it was news to School Administrative Unit 57 Superintendent Michael Delahanty.

“The attack really paralyzed us,” Delahanty said. “When our servers are unavailable, we are crippled from a business continuity standpoint.”

The IT shutdown at Salem’s schools reflected the flip side of technology dependency, since the attack affected all services: the district’s website, billing, daily attendance, report cards and the ability of parents to keep track of their children’s lessons and communicate online with teachers.

After trying for a few days without success to assess and fix the situation internally – at the time there was no IT director on staff – Delahanty turned to an outside vendor, Neoscope Technology Solutions of Portsmouth.

For Timothy Martin, Neoscope’s president, the situation that SAU 57 faced was typical of smaller nonprofit and for-profit organizations that are technology-dependent but lack the infrastructure and IT security savvy to protect themselves.

“All of the schools that we have encountered in New Hampshire have been completely on their own and lack any type of standardization, centralization or utilization of best practices when it comes to security,” Martin said. “The Salem School District was in a unique situation because they did not have an IT director on staff and their in-house staff did not have the experience in dealing with the virus that we encountered.”

SAU 57 also represents the budget-conscious piecemeal IT security efforts of small organizations attempting to maximize resources, said Martin.

“The district was typical from what we’ve seen, in that while we were in the process of removing the virus we noticed that they were running up to three to four different free consumer-grade antivirus products across their network with no central management console and no central remote access tool,” Martin explained.

Crippling potential

As small businesses, nonprofits and governmental entities become ever more dependent on their IT infrastructure, they all become targets for viruses of all types. Delahanty said that when he started his career three decades ago, education technology was primitive in comparison to today.

“Mainframe computers contained some budget information, but everything was still done by snail mail. We typed reports on electric typewriters,” he said. “Now everything is more complicated and done via the web.”

Neoscope, which has managed IT services for the town of Salem since 2012, cleaned out the Vobfus virus within a few days, got the system running and put security protocols and a centralized systems management process in place to hold the line until the district’s new IT director arrived later in the year.

Even if complete disruptions are rare, Martin said, what happened at SAU 57 was not atypical.

“Networks of all sizes are under attack,” he said. “You have to be proactive and monitor that stuff on a daily basis around the clock before it cripples your organization.”

In fact, there is no shortage of “stuff” to monitor as scores of new viruses or variations of viruses and malware are discovered daily by security software companies. According to computer security firm Panda Security, the impact of the virus or worm can range “from the annoying to the destructive,” but its main objective “is to collapse computers and networks” – which is exactly what happened to SAU 57.

Delahanty said SAU 57, like all school districts in New Hampshire, is on its own when it comes to IT security. “There’s no central resource,” he said. “If the Department of Education knows of a potential problem that’s been identified by a state agency, they will let us know.”

In discussions with a growing number of municipalities in New Hampshire and Massachusetts, Martin said that more towns and schools are considering bundling their IT services. In New Hampshire, the Department of Information Technology is the only statewide resource for cybersecurity updates to the public and issues daily updates on virus threats.

It’s possible that SAU 57 was a casualty of the latest Vobfus wave, which spread throughout the summer and was identified by Internet security experts as part of a combined virus offensive lodged by criminal groups. That wave coincided with virus/malware scams in conjunction with birth of the Royal baby in Great Britain.

Delahanty said the cost of cleaning up the Vobfus virus was about $10,000 – a considerable cost, given the district’s tight budget.

At least Delahanty didn’t have to pay ransom. CryptoLocker, which attacked the town of Greenland, is a particularly virulent malware that threatens complete system-wide data destruction unless a ransom is paid.

CryptoLocker extortionists are targeting small businesses predominantly and forcing them to pay ransoms ranging from $300 to more than $1,000 via the Bitcoin virtual currency. In November, the small police department of Swansea, Mass., had its IT system stricken and paid $750 to get the encryption key to unlock its files.

Because Greenland was attacked during the holiday season, town officials didn’t know of the attack or the ransom until after the ransom deadline had passed.

“We received as many as 20 phone calls from small business owners who were hit by CryptoLocker,” said David Hodgdon, president of Portsmouth Computer Group. PCG, a managed IT services firm, began warning its customers of the CryptoLocker outbreak in September, he said.

Hodgdon said a report released in October by spam filter firm AppRiver – two months after CryptoLocker was first discovered – reported that CryptoLocker was the most prevalent virus found in the 56.6 million infected emails blocked by its spam filter that month.

And while computer security experts believe the worst of the CryptoLocker virus has passed, and that it can be contained with proactive measures, there is no doubt there will always be a next one.