A Publication of the Public Library Association Public Libraries Online

Ransomware Attacks at Libraries: How They Happen, What to Do

by on May 10, 2021

Malicious hacking attacks of institutions are on the rise, particularly after the onset of the COVID-19 pandemic. Corporations, including nonprofits like public libraries, face greater dangers from these attacks. Ransomware is the name for a particular type of cyberattack where hackers encrypt a victim’s files, then demands a ransom to give users access to their files. The demand is often in cryptocurrency like Bitcoin.

Susan Sentz, the Director of the Northampton Public Library in Northampton, PA, led the response to a ransomware attack on her library in late 2020. Sentz said that while she had heard about ransomware attacks on the news, she hadn’t considered her library particularly high risk. In November 2020, as Sentz and her staff went through their morning routine, they noticed errors logging onto personal workstations and their catalog. “We decided something may be wrong with our server or that something was updating so we contacted the IT company we use. They were having problems trying to remote-into our servers, which was the first red flag. Then a staff member noticed that the files on her computer were encrypted, which we relayed to our IT company. And that was when we knew it was a ransomware attack.”

The result: closure for two weeks as their IT firm sorted out the malware problems. Because of COVID-19 related closures and scheduling, Northampton thankfully didn’t see a huge disruption to their work, but lending was out of the question with the catalog down.

Mark Sandblade, who has spent six years as Information Technology Manager at the Library System of Lancaster County, said that ransomware is a significant concern for the modern public library and in his opinion, the greatest IT security threat he faces. 

Sandblade explained his worries as a matter of risk and probability, saying, “Ransomware is one of the few risks that is both highly probable and impactful. Weekly news headlines of successful ransomware attacks that have debilitated whole companies and organizations are fairly common now.” 

Libraries are at higher risk than other organizations for a few reasons, according to Sandblade. First, libraries rely heavily on layers of IT infrastructure, like electronic catalogs, public wifi access, and public computing terminals. IT budgets at public libraries are not as comprehensive as in other organizations. Some public libraries benefit from their small size and less complicated infrastructure, giving hackers less places to infiltrate. But they might not have the resources to set up adequate defenses against hacking. Sandblade said that the consortium model of the Library System of Lancaster County can be helpful in order to take advantage of pooled resources and economies of scale. 

Whatever preparations are made, ransomware often has a random element that makes it hard to prepare for, said Sandblade. “Crime is often indiscriminate. An attacker will often not care what your size, funding, mission is.”

For Northampton Public Library, the cleanup took time. Sentz said that a true investigation into exact causes would have cost tens of thousands of dollars and was not covered by their insurance. However, recovery of lost files was covered, meaning they could enlist the help of their IT firm in recovering as much as possible. Fortunately, as a result of prior planning and good IT practices, Sentz said that they had minimal losses and opted not to spend the time recovering the minimal file lost. Backups had saved most of their files. This careful planning philosophy is critical, said Sentz. “It is important for libraries to take preemptive measures, because once you get hit with a ransomware attack it’s too late.” 

Sandblade provided a host of suggestions for libraries curious about ways to safeguard themselves from attack. You can find a full transcript of my intervieww with Sandblade and Sentz at the end of this article. In the full transcript, you will see Sandblade’s go-to solutions to help a library prepare for ransomware attack, including staff training on spotting suspicious emails, how to react when you’ve clicked the wrong link, multi-factor authentication for user accounts, and a robust backup strategy like was employed at Northampton. 

For libraries not sure where to start, Sandblade’s advice is to make use of whatever resources are available, even modest resources. He said, “It’s easy to get overwhelmed by the cybersecurity challenge. The best thing is to take some kind of action today. There is a lot of low hanging fruit with cybersecurity that can be done. Get started and then constantly restart. The latest DoD breaches show that even the most highly funded capable organizations can get hacked.” 

Libraries, Sandblade said, often focus on physical security. “You wouldn’t just leave your library doors unlocked, no fire alarm, let patrons walk out the door with items without checking out. Take your cybersecurity as seriously as your physical security. Dollar wise, it may cause more damage.” He observed that everyone has a role in stopping IT security threats: “If you use a computer and a network for a living, then you are a technology professional. Cybersecurity isn’t just IT’s responsibility or headache.” 

Asked about what advice she’d give to other library directors who are trying to grapple with ransomware threats, Sentz said, “For someone in my position, I would say you will get through it. Work diligently with your IT support to figure out the best solution for your library to move forward. Don’t forget to contact your insurance company to see what work or recovery would be covered by your policy. Operations will go back to normal!”

Interview with Mark Sandblade, Information Technology Manager, Library System of Lancaster County 

PL: How long have you been in IT management for public libraries?

MS: Six years

PL: Are there any risk-management advantages to being part of a library system (like Lancaster) as opposed to being an independent library with its own IT structure?

MS: Different library consortia will have different economies of scale.  The big difference for LSLC is that we have a dedicated IT department that does nothing but IT. Most libraries, even large well-funded ones, will have technology specialists, but often this role has to prioritize library service work first. IT and IT security is an afterthought for spare time which, as we know in libraries, never comes.  The other advantage is that we can purchase and implement systems that would be time and cost prohibitive for smaller libraries.  An example of this is LSLC’s core firewall.  The performance and maintenance cost would be impractical for an individual library, but is great for a consortium.

PL: How do ransomware attacks influence how you do your work? Is this something that keeps you up at night? 

MS: Ransomware is probably my greatest worry.  The risk calculation formula is ( Risk = Probability x Impact ).  An earthquake has low probability and high impact. Accidentally deleting a file is high probability but low impact.  Ransomware is one of the few risks that is both extremely highly probable and impactful.  Weekly news headlines of successful ransomware attacks that have debilitated whole companies and organizations are fairly common now.  Ransomware usually attacks the most vulnerable target in any network, the human.  The profit motive also makes it the most likely form of attack as other forms of malicious code don’t benefit the attacker nearly as much.

PL: Are libraries more at risk for ransomware and other hacking attacks than other organizations in the non-profit sector? For profit sector?

MS: I would say libraries are at higher risk due to their heavy reliance on IT and relatively smaller IT and IT security budgets.  On the other hand some libraries have less IT infrastructure and may have a smaller attack surface than larger organizations.  However crime is often indiscriminate.  An attacker will often not care what your size, funding, mission is.

PL: Are public computer labs a major risk? 

MS: They can be, but they don’t have to be.  The best practice is to segregate your public networks from your staff networks as much as possible.  This can be done logically through VLANs and firewalls or even done physically by keeping wiring, printing, Internet connection, etc. completely separate. This can sometimes be an expensive proposition, but it’s completely necessary and worthwhile expense.

PL: Do you have a philosophy or a set of rules you try to instill in library system employees about safety?

MS: It’s easy to get overwhelmed by the cybersecurity challenge. The best thing is to take some kind of action today. There is a lot of low hanging fruit with cybersecurity that can be done.  Get started and then constantly restart. The latest DoD breaches show that even the most highly funded capable organizations can get hacked.  Do what you can with what you have.  Also I tell staff that you wouldn’t take your physical security lightly. You wouldn’t just leave your library doors unlocked, no fire alarm, let patrons walk out the door with items without checking out. Take your cybersecurity as seriously as your physical security.  Dollar wise, it may cause more damage than the physical security. If you use a computer and a network for a living, then you are an technology professional.  Cybersecurity isn’t just IT’s responsibility or headache.

PL: If you could give libraries a piece of advice on keeping themselves safe from ransomware or other hacking attacks, what would that be?

  1. Look at the most obvious vectors for an attack. It is unlikely that a state actor like Fancy Bear will attack your network. It’s more likely that the vector will come from an incoming email, webpage or link sent by a con artist. Make sure your staff are trained to spot suspicious emails. Use some message spam/malware filtering service.  Office365 and G Suite have their built in filtering services, but there are many 3rd party email and web filtering services that are good as well.  
  2. Do a mental “table top” wargame with your staff.  Run the scenario as if it were happening for real.  “My director got an email and clicked on the link. It immediately started encrypting all her files and since she had access to shared drives it locked those files too. It then sent the same link to everyone in her Contacts list…”  Think about how much time you would have. Who would you call? What would be your first step? What would be the thing you wish you had done before that day?  That’s your next step.
  3. Multifactor Authentication (MFA). Implement it for your email ASAP. This is the single greatest step in preventing a phishing or ransomware attack.  We would routinely get a few users/year that would get their email accounts hijacked. That has completely stopped since enforcing MFA.
  4. Think of security in concentric rings. The most valuable assets and users would be in the center ring, now surround that ring with a layer of security, then you would have other users and assets in the next ring outside of it, and so on.  The more ring “walls” of security you have the more fallback positions you have when a layer gets breached.  
  5. Try to implement a 3, 2, 1 backup strategy.  You want at least 3 copies of your data, in 2 locations, with 1 offsite.  A massive problem with many ransomware attacks is that the backups also got encrypted. Having multiple backup copies helps hedge against this scenario.
  6. Pay attention to the security news. This can be as simple as subscribing to the right newsletters and alerts.  So when the next WannaCry vulnerability spreads, you can say “Oh I heard about this already, and we patched our systems as soon as the patch was released” instead of saying “Oh no, never heard of it”.
  7. Don’t let the perfect be the enemy of the good. Secure what you can today even if you can’t afford a super cybersecurity setup. If you can’t afford an alarm system, simply locking your doors every time is better than doing nothing.

Interview with Susan Sentz, Library Director, Northampton Area Public Library 

PL: What awareness of ransomware or hacking did you have before the Fall of 2020? Was it something you’d thought about?

SS: I had awareness to the fact that it is prevalent and that you hear about data breaches in the news. It was not necessarily something that was on my radar in terms of thinking the library would be at risk.  

PL: When did you know something had gone wrong?

SS: We were doing our normal opening routine and my staff could not access our library management software, TLC. At that time, I was trying to log in to my work computer with no success. We decided something may be wrong with our server or that something was updating so we contacted the IT company we use. They were having problems trying to remote into our servers which was the first red flag. Then a staff member noticed that the files on her computer were encrypted, which we relayed to our IT company and that was when we knew it was a ransomware attack. 

PL: What kind of support do you have for IT? I ask because each library is so different. How were they able to respond?

SS: We have one staff member that takes care of operations including updating computers, server, and troubleshooting. We utilize an outside IT company for all other needs regarding the server etc. We do not have a contract or service plan with them it’s more of an as needed. 

PL: What outside resources did you marshal to help out? Police, state police, any outside services?

SS: The only outside service we used was our IT company. For the IT company to bring in a forensic team to find the culprit and how the virus got in it was in the 10s of thousands for said company to just come out not even including all the work they would do. We did not report to Police etc. 

To clarify above I chose the route to clean out whatever was affected and move forward. We did not try to recover lost data. We were fortunate that we had backups and had minimal data loss. 

PL: Did any insurance cover any damages?

 Our insurance policy covered regaining access to lost files etc. . So, the work that was done by the IT company was covered by insurance. The investigation aspect of it was not covered and that was why we decided not to go that route.

PL: I believe I saw that you had to close. How did you cope with the closure?

We did close for I believe two weeks. This year has been so crazy with COVID to begin with that closing to me just made sense. We did not have access to our collection management software, so there would not have been a good way to lend out items.  It took a long time for everything to get cleaned out and operational again. 

PL: What kind of lessons do you think modern libraries should learn about ransomware or other hacking attacks? What would you tell someone in your position?

It is important for libraries to take preemptive measures because once you get hit with a ransomware attack it’s too late. Review with staff to not click questionable links in emails, don’t download or allow for updates if you don’t know where it is coming from. Make sure that IT in building or if you outsource has the most up to date software on computers, servers, and firewalls. Staff should have strong passwords and they should be changed on a rotating basis so that they all change around the same time.

 For someone in my position I would say you will get through it. Work diligently with your IT support to figure out the best solution for your library to move forward. Don’t forget to contact your insurance company to see what work or recovery would be covered by your policy. Operations will go back to normal!


Tags: , , , ,