What ransomware is, how it reaches Philippine schools, and the concrete steps you can take to prevent it — and survive it if it hits.
Ransomware is malicious software that encrypts your files — student records, grades, financial data, emails — and demands payment (usually in cryptocurrency) for the decryption key. Without the key, encrypted files are unreadable.
For schools, a ransomware attack can mean:
The most common entry point. A teacher clicks a link or downloads an attachment in a fake DepEd memo or HR notice. The attachment contains the ransomware installer.
Many schools allow remote access to school systems. Attackers scan the internet for exposed RDP ports and brute-force weak passwords. Once in, they install ransomware manually.
Attackers exploit known vulnerabilities in unpatched software — particularly WordPress plugins, outdated Windows versions, or legacy Student Information Systems — to gain access without any user interaction.
If a software vendor you use gets compromised, attackers can push ransomware to all of the vendor's clients simultaneously. This is called a supply chain attack.
Day 1–14 (Before you know it):
Attackers are inside your network, quietly exploring. They map your systems, identify backups, and look for the most valuable data. Many ransomware groups now exfiltrate data (steal copies) before encrypting — so they can threaten to publish it even if you restore from backup.
Attack day:
Ransomware is deployed — often at night or on a weekend to maximize damage before discovery. Files are encrypted. A ransom note appears on affected screens.
Discovery:
Staff arrive to find systems inaccessible. The ransom note demands payment (typically $5,000–$50,000 for small organizations, paid in Bitcoin) within 48–72 hours, or the decryption key is destroyed.
Decision point:
Pay the ransom? Restore from backup? Negotiate? Each option has risks.
The short answer: No.
Reasons not to pay:
The right answer is to restore from backup. This is why the 3-2-1 backup rule is non-negotiable.
Your only reliable defense against ransomware data loss:
Why the offline copy matters: Ransomware can spread through your network and encrypt connected cloud drives and backup servers. An offline backup — a hard drive stored in a fireproof cabinet, physically disconnected from your network — cannot be encrypted.
Test your backups quarterly. A backup you've never tested is not a backup — it's a hope.
Do immediately:
Do NOT:
Notify:
Daily automated backups, with at least one copy offline. Test monthly.
MFA on all admin accounts prevents attackers from using stolen credentials to access your systems. See the MFA Setup Guide.
Most ransomware arrives via email. A spam filter that strips executable attachments (.exe, .js, .vbs, macro-enabled Office files) blocks the most common delivery mechanism.
Apply security updates within 30 days. Enable automatic updates on Windows computers. Update your website CMS and plugins monthly.
If your school uses Remote Desktop Protocol (RDP) for remote access, either disable it entirely or move it behind a VPN. Never expose RDP directly to the internet.
Teach staff to recognize phishing emails. Try the Phishing Awareness Quiz. One click is all it takes to start a ransomware infection.
Keep student databases and administrative systems on a separate network segment from the general staff and student WiFi. A compromised laptop on the student network should not be able to reach the SIS database.
Ransomware is not an IT problem — it's an institutional risk. Frame it for school leadership this way:
The cost of ransomware vs. the cost of prevention:
The question is not whether schools get targeted. The question is whether your school is prepared.