Trickbot Attack Forces Ohio School District to Cancel Classes

ohio coventry schools cancel classes trickbot attackA school district in Ohio suspended classes on Monday, May 20, because of a Trickbot attack on its network and computers. In a Facebook update posted the day before, the Coventry Local School District announced that its systems were infected by the malware the previous Friday, and that its schools would be closed as work on restoring normal operations continued. 

According to a report by the Akron Beacon Journal, the FBI determined that the infection started with computers in the treasurer’s office of the Coventry Local School District, and went on to affect operations that relied on the district’s network — notably shutting down the phone and heating, ventilation, and air conditioning (HVAC) systems.

[Read: Trickbot adds remote application credential-grabbing capabilities to its repertoire]

Lisa Blough, Coventry Local School District Superintendent, said that while IT personnel noticed the unusual activity on the network, the installed antivirus software did not detect it as malicious. She added that the district did not suspect that a student was involved in the cyberattack. Indeed, the FBI confirmed that an organized crime group is behind the attack, noting that the malware’s goal was to steal banking information or money from affected users. According to Blough, two employees reported having their Amazon accounts compromised in the incident.

As reported by ZDNet, classes resumed the next day, with the reinstallation of more than 1,000 computers.

[Read: Trickbot’s bigger bag of tricks]

Trickbot is considered one of the most dangerous malware strains used by cybercriminals today, what with its modular nature and its constantly changing arrival and distribution methods. In fact, the United States Department of Homeland Security issued in March a security primer on Trickbot in response to the prevalence of attacks using this malware.

A banking trojan, Trickbot was initially used to steal credentials from online banking websites. But its behavior and capabilities have been adjusted by cybercriminals over the years to suit their malicious activities. And it will continue to evolve beyond the usual banking trojan behavior while preying on more unwitting users.

A recent case in point: In another Trickbot variant that we discovered in the same week as the Coventry Local School District class suspension, the malware payload arrives through a legitimate-looking order confirmation email that can circumvent detection as the user is redirected to a known site via an embedded link. However, clicking on the masked link simultaneously downloads Trickbot and proceeds with its malicious routine.

Users and organizations can protect themselves from such spam attacks and phishing techniques that may deliver Trickbot:

  • Be wary of suspicious emails and messages with attachments or links from unknown senders. Do not download, open, or click attachments or links unless the email comes from a legitimate source.
  • Enable the multifactor authentication features of your online accounts whenever available.
  • Use complicated passwords for all your online accounts and change them regularly.
  • Report lost or stolen devices to your organization’s network administration personnel for them to employ additional authentication measures for stolen or leaked credentials.
IT administrators, in particular, should monitor the network for unusual increases in activity for potentially malicious activities as these can alert the organization to attacks or intrusions. They should also install a multilayered protection that can defend systems from malicious emails and URLs, from the gateway to the endpoint.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.