Finalsite, a cloud and SaaS service provider to roughly 8,000 schools and universities, has suffered a ransomware attack and hired a third-party forensics team to investigate the attack and assist the recovery, the company disclosed in a January 6, 2022 statement. Finalsite did not mention the name of the cyber forensics team involved in the investigation.
Finalsite positions itself as "the preferred website, communications, enrollment and marketing platform of 8,000+ schools and universities." The ransomware attack arrives roughly one month after private equity firm Veritas Capital acquired Finalsite from Bridge Growth Partners. Also, the attack surfaces roughly two months ahead of the Finalsite University 2022 user conference.
Finalsite Ransomware Attack, Recovery, Restore and Investigation
The FinalSite attack timeline and recovery process looks like this, according to paraphrased information culled by MSSP Alert from FinalSite's status page:
- Tuesday, January 4: Finalsite discloses error rates and performance issues across some of its legacy modules, though the term Ransomware is not mentioned. The impacted systems apparently include Groups Manager, Constituent Manager, Login, Forms Manager (old), Registration Manager, Directory Elements, Athletics Manager, Calendar Manager.
- Wednesday, January 5: CTO Tim McDonough said the team worked through the night in an attempt to restore systems, but the system continued to experience a "disruption" to certain computer systems on the network. Again, no mention of ransomware is made. By the end of the day, McDonough says significant progress has been made to restore systems.
- Thursday, January 6: In a lengthy update, McDonough discloses that ransomware was discovered on the network on January 4, and that a third-party forensics team has been hired to assist with the investigation and recovery. The company has full access to files and data, and sees no evidence that company or customer data was taken.
- Friday, January 7: The vast majority of sites have been restored, though the company still has work to do to "bring everything back to normal."
Tips to Protect Against Ransomware Attacks
To mitigate the risk of ransomware attacks, the FBI and CISA say MSSPs and MSPs should take these seven steps:
- require multi-factor authentication (MFA);
- implement network segmentation;
- scan for vulnerabilities and keep software updated;
- remove unnecessary applications and apply controls — and be sure to investigate any unauthorized software, particularly remote desktop or remote monitoring and management software;
- implement endpoint and detection response tools;
- limit access to resources over the network, especially by restricting RDP; and
- secure user accounts.
How MSPs and MSSPs Can Respond to and Recover From Ransomware Attacks
If a ransomware incident occurs, then the CISA, FBI and NSA recommend the following four actions:
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.
- Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office.
- Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.