Understanding Ransomware: A Guide for School Administrators

What Is Ransomware?

Ransomware is malicious software that encrypts your files — student records, grades, financial data, emails — and demands payment (usually in cryptocurrency) for the decryption key. Without the key, encrypted files are unreadable.

For schools, a ransomware attack can mean:

• Enrollment systems locked during registration season
• Grade records inaccessible during report card period
• Payroll data encrypted before payday
• Years of student records lost if no backup exists

How Ransomware Reaches Schools

1. Phishing Emails

The most common entry point. A teacher clicks a link or downloads an attachment in a fake DepEd memo or HR notice. The attachment contains the ransomware installer.

2. Compromised Remote Desktop (RDP)

Many schools allow remote access to school systems. Attackers scan the internet for exposed RDP ports and brute-force weak passwords. Once in, they install ransomware manually.

3. Unpatched Software Vulnerabilities

Attackers exploit known vulnerabilities in unpatched software — particularly WordPress plugins, outdated Windows versions, or legacy Student Information Systems — to gain access without any user interaction.

4. Compromised Third-Party Vendor

If a software vendor you use gets compromised, attackers can push ransomware to all of the vendor's clients simultaneously. This is called a supply chain attack.

The Ransomware Attack Timeline

Day 1–14 (Before you know it):

Attackers are inside your network, quietly exploring. They map your systems, identify backups, and look for the most valuable data. Many ransomware groups now exfiltrate data (steal copies) before encrypting — so they can threaten to publish it even if you restore from backup.

Attack day:

Ransomware is deployed — often at night or on a weekend to maximize damage before discovery. Files are encrypted. A ransom note appears on affected screens.

Discovery:

Staff arrive to find systems inaccessible. The ransom note demands payment (typically $5,000–$50,000 for small organizations, paid in Bitcoin) within 48–72 hours, or the decryption key is destroyed.

Decision point:

Pay the ransom? Restore from backup? Negotiate? Each option has risks.

Should Schools Pay the Ransom?

The short answer: No.

Reasons not to pay:

• No guarantee of recovery — about 20% of organizations that pay never receive a working decryption key (Sophos, 2023 State of Ransomware)
• You become a repeat target — attackers mark paying victims as "reliable" and attack again
• It funds criminal operations — payment encourages more attacks on schools
• Data may still be published — attackers increasingly publish stolen data even after payment ("double extortion")

The right answer is to restore from backup. This is why the 3-2-1 backup rule is non-negotiable.

The 3-2-1 Backup Rule

Your only reliable defense against ransomware data loss:

• 3 copies of your data
• 2 different storage types (e.g., cloud + external hard drive)
• 1 copy offline (not connected to the internet or your network)

Why the offline copy matters: Ransomware can spread through your network and encrypt connected cloud drives and backup servers. An offline backup — a hard drive stored in a fireproof cabinet, physically disconnected from your network — cannot be encrypted.

Test your backups quarterly. A backup you've never tested is not a backup — it's a hope.

Immediate Response if Ransomware Hits

Do immediately:

1. 1Disconnect affected systems from the network — unplug ethernet cables or disable WiFi
2. 2Do NOT turn off or wipe the machines (preserves evidence for investigation)
3. 3Alert IT coordinator and DPO immediately
4. 4Identify the scope — which systems are affected?
5. 5Check if offline backups are intact

Do NOT:

• Pay the ransom without consulting experts
• Connect backup drives to an infected system
• Try to "clean" the ransomware yourself with consumer antivirus

Notify:

• Your principal and school board
• National Privacy Commission within 72 hours (if student data was affected)
• DICT Cybersecurity Bureau: cybersecurity@dict.gov.ph

Prevention: The Highest ROI Security Measures

1. Offline Backups (Highest Priority)

Daily automated backups, with at least one copy offline. Test monthly.

2. Multi-Factor Authentication

MFA on all admin accounts prevents attackers from using stolen credentials to access your systems. See the MFA Setup Guide.

3. Email Filtering

Most ransomware arrives via email. A spam filter that strips executable attachments (.exe, .js, .vbs, macro-enabled Office files) blocks the most common delivery mechanism.

4. Patch Management

Apply security updates within 30 days. Enable automatic updates on Windows computers. Update your website CMS and plugins monthly.

5. Disable Exposed RDP

If your school uses Remote Desktop Protocol (RDP) for remote access, either disable it entirely or move it behind a VPN. Never expose RDP directly to the internet.

6. Staff Training

Teach staff to recognize phishing emails. Try the Phishing Awareness Quiz. One click is all it takes to start a ransomware infection.

7. Network Segmentation

Keep student databases and administrative systems on a separate network segment from the general staff and student WiFi. A compromised laptop on the student network should not be able to reach the SIS database.

What to Tell Your School Board

Ransomware is not an IT problem — it's an institutional risk. Frame it for school leadership this way:

The cost of ransomware vs. the cost of prevention:

• Average ransom demand for small organizations: PHP 250,000–2,500,000
• Average downtime: 21 days (Coveware, 2023)
• Cost of an external hard drive for backups: PHP 3,000–5,000
• Cost of enabling MFA on Google Workspace: Free

The question is not whether schools get targeted. The question is whether your school is prepared.

Related Resources

• 10-Point School Cybersecurity Checklist — includes backup and patch management
• Incident Response Plan Template — what to do when ransomware hits
• School Security Scorecard — assess your overall security posture