When Ransomware Attacks a School District, You Get Detention

What do you get when ransomware attacks a school district? KPMG was called to assist when a school district with a ransomware investigation. While most ransomware investigations are pretty cookie-cutter, the telemetry available provided KPMG with a tremendous insight into the attacker’s behavior, motivations, and tooling. The telemetry available to us included EDR, Windows host forensic data, firewall logs and attacker tool data (e.g., MEGA). With EDR, we were able to determine the breadth of the attack and ensure the attackers no longer had a presence in the environment. With the host data, we were able to see credential dumping, disabling of AV, anti-forensic activity, and a PowerShell script that looked for blackmail and/or sensitive information. This PowerShell script included a hard coded IP address that was used for searching within the firewall to determine if exfiltration occurred. The firewall logs were correlated with the MEGA logs for exfiltration as well. What do you get when ransomware attacks a school district? You get detention, Project Detention that is.