Locked Out: Lessons from Ransomware Attacks on Small Businesses and Schools

Ransomware attacks have become a very common cyber threat, affecting nearly everyone directly or indirectly, and just to show how bad it is, speak to a random person about ransomware and chances are they were either affected or they know of someone who was  or they know of somewhere that was hit by ransomware. Businesses have had their operations halted and schools have lost time and money trying to recover files and backups locked away by a ransomware’s encryption, with threats to pay or risk data exposure. In some cases, victims have to start from scratch. What lessons can we learn to protect ourselves and recover?

We will take a look at two recent ransomware attacks—one affecting a small business and the other that affected a school. We will seek to identify the lessons that we can learn and strategies we can identify to avoid the same happening to us.

Small Businesses in the Balearic Islands

In 2024, small businesses in the Balearic Islands suffered major financial losses due to cyberattacks. Reports estimated about 1,500 businesses were affected during the year 2024. These attacks are mainly phishing emails and ransomware attacks, where critical business data is encrypted and the cybercriminals making demands for payment. The reports are that an average loss per company was about 30,000 euros, taking into account the cost demanded by the cybercriminals, loss of productivity, and cost to recover as detailed in a report by Cadensaser, a spanish radio network known for its news coverage.

Ironically in spite of these increase of these attacks, many small businesses still have their vulnerable systems. One would have thought the recent attacks would motivate them to address these, however this may be due to small business owners not fully understanding cyber threats or how to prevent attacks, confirming the need for employee training and awareness programs, proper backup procedures, and implementing the necessary technology and tools to protect against phishing and ransomware threats. These types of measures would help to reduce the repeat attacks by cybercriminals against small businesses in the Balearic Islands.

Rutherford County School's Ransomware Attack

In November 2024, Rutherford County Schools (RCS), a large school district in the state of Tennessee in the United States, experienced the effects of a major ransomware attack linked to the Rhysida ransomware group as reported by Daily Security Review. This breach caused a major disruption affecting the school’s operations including access to their email systems, student records, and administrative data. The cybercriminals exposed to the dark web sensitive data, including student’s Social Security numbers.

At the writing of my post, there has not been an official confirmation to the public on the exact vulnerabilities exploited by the Rhysida group, however we do know that they use the RaaS methods of attack which can shed some light on the possible vulnerabilities exploited which we can use as a teaching example. The RaaS methods exploit weaknesses in phishing defenses, patch management, access controls, or network segmentation. These are actually commonly known weaknesses in schools.

Understanding Ransomware Attacks

Ransomware attacks have become one of the most common cyber-attacks in recent years. These typically involve malicious software encrypting important databases or files which result in organizations like small businesses and schools not having access to their data. Groups like Rhysida, who use Ransomware-as-a-Service (RaaS) techniques, seek to exploit vulnerabilities such as phishing, unpatched systems, and weak access controls, cybercriminals using ransomware disrupt operations and exposing sensitive data.

Impact on Small Businesses and Schools

As demonstrated by the recent Rutherford County Schools attack and Small businesses in the Balearic Islands. The following are usually what happens after a ransomware attack:

• Disrupting business or operations:
  • Schools and businesses lose access to important systems, such as student records or financial tools.
  • Recovery efforts can take weeks, further halting operations.
• Data Exposure:
  • Sensitive information, such as students and staffs contacts, national identification, and customer data, may be stolen and sold on the dark web.
• Financial Losses:
  • Small businesses in the Balearic Islands reported average losses of €30,000 due to ransomware attacks. This included the ransom payments, lost productivity, and recovery expenses.
  • Schools face additional costs for system restoration and forensic investigations.
• Reputational Damage:
  • Schools and small businesses can lose customers and students if there is a loss of trust and confidence.

Mitigation Strategies

Preventing ransomware attacks requires a planned and strategic approach. Small businesses and schools, should focus on the following:

1. Strengthen Phishing Defenses
   1. Implement email filtering systems to detect and block malicious emails.
   2. Conduct regular employee training to help staff recognize phishing attempts.
   3. Use sandboxing tools to test suspicious email attachments in a secure environment.
   4. Implement DMARC to help reduce email spoofing attacks in a social engineering campaign against recipients of your emails. For example customers, parents, friends.
2. Ensure Timely Patch Management
   1. Regularly update and patch operating systems, applications, and hardware to close known vulnerabilities.
   2. Automate patch management processes where least to cause any risk to reduce manual errors.
3. Secure Remote Access
   1. Restrict the use of Remote Desktop Protocol (RDP) and secure it with strong passwords and encryption.
   2. Require multi-factor authentication (MFA) for all remote access.
4. Implement Network Segmentation
   1. Separate critical systems from less sensitive ones to prevent ransomware from spreading laterally across the network.
   2. Use firewalls and access control lists to limit unauthorized access between network segments.
5. Deploy Endpoint Detection and Response (EDR)
   1. Invest in advanced EDR tools or an effective open-source alternative that can detect and respond to ransomware attacks in real time.
   2. Monitor for unusual behavior, such as sudden file encryption or large data transfers.
6. Backup and Recovery
   1. Maintain regular backups of critical data, ensuring backups are stored offline or in a secure cloud environment.
   2. Test backup systems periodically to ensure rapid restoration in the event of an attack.

Conclusion

The ransomware attacks on Rutherford County Schools and small businesses in the Balearic Islands highlight the serious impact of these incidents on both operations and sensitive data. By addressing common vulnerabilities, such as unaware users of your systems like staff and students, phishing and weak access controls, and adopting proactive measures like network segmentation, regular backups, and timely patching, organizations can significantly reduce their risk of falling victim to ransomware. While no system is entirely immune, a strong and constantly improving cybersecurity framework is the best defense against the growing threat of ransomware.

Click this link If you would like to know more about The First Step to Cybersecurity: Building a Secure Foundation for Small Businesses and Schools or Join our FREE MasadaOffensive Guide or paid MasadaOffensive Mastery monthly or annual subscriptions to improve your cybersecurity posture.