Ransomware is hitting Schools with Fervor

Posted on by Robert Ackerman

Ransomware has become pervasive and increasingly troublesome, but at least regular people have been largely spared the pain outside of work. Among the victims in recent months have been oil pipeline companies, huge food processors and hospital chains, but not Joe or Susie Average.

Unfortunately, however, this relative piece of good news started fading last year and now is disappearing altogether. The rank-and-file victims have been among the most vulnerable of all—mostly young students. While some attend universities, far more attend K-12 schools nationwide.

How big is the problem? Last August and September, the latest data available, the FBI reported that 57 percent of known ransomware incidents involved K-12 schools. That was more than twice the number of school ransomware attacks reported in the earlier months of 2020. Scores of ransomware attacks have already occurred in public school districts in 2021, according to cybersecurity company Recorded Future.

The most outrageous attack occurred in March. That was when the country’s sixth-largest school district—metropolitan Fort Lauderdale—was threatened with the release of data—including data about students themselves—unless the district paid a $40 million ransomware. That amounted to 10 percent of the district’s budget and was among the biggest ransomware demands ever, although the school district managed to restore its systems without payment.

Other K-12 ransomware attacks since last year have occurred in Baltimore, northern Virginia, Huntsville, Alabama, Fort Worth, Texas, Hartford, Connecticut, and Haverhill, Massachusetts. This is only a partial list, and many schools—like many ransomware victims in general—don’t even bother reporting attacks. Ransomware payouts over the past year have generally ranged between $35,000 and more than $1 million.

It might seem strange that public schools have become huge targets. After all, few school districts have fat budgets. Many, in fact, struggle to pay for basic operations, such as employee salaries and air conditioning. But public schools have sub-par security and increasingly purchase cybersecurity insurance.

The number of attacks fell dramatically this summer as many schools were closed, but they’re opening up again. Fresh attacks are sure to follow. Until now, many targeted remote students had sent their homework to teachers via vulnerable email attachments. Now, most will be attending schools physically, but many students will continue to submit homework online because they periodically take days off for sickness or other reasons. 

School ransomware attacks show no one is immune from ransomware anymore. Hackers obviously care about the size of a potential jackpot but also about the ease of penetrating a target—an Achilles heel for most schools.

School systems generally use a less expensive and less secure version of Microsoft Windows and typically make do with aging computer architecture. Moreover, when they do back up data, they usually back it up onsite or at a facility connected directly to the school system. This leaves backups, often the solution to avoiding paying ransomware, vulnerable to a lockdown, along with the rest of the computer systems. Making matters worse, a report by IBM says that 60 percent of teachers received no additional security training during the pandemic—a hotbed of increased cyberattacks—and 50 percent received no cybersecurity training whatsoever.

School ransomware attacks have contributed to an egregious one-two punch. Over roughly the past 18 months, most K-12 students and teachers were forced to embrace remote online learning for the first time, and I’ve read from the news and heard from close friends that it was relatively ineffective. Students started returning in masse to schools toward the end of the 2020-2021 school year, but many still did not, and their education was diminished, courtesy of ransomware attacks.

Some schools have paid ransoms, undermining already tight school budgets. Others, such as the Baltimore County public school system, stopped teaching for a couple of days and, in at least one case, in Hartford, CT, delayed the start of the new academic year, both online and in-person instruction.

To better protect themselves, schools would be better served by backing up their computer systems in the cloud. While this requires more funding for security, it isn’t overly expensive. It would require more IT talent, however.

It would also be worthwhile to train teachers in cybersecurity to some extent. One thing they could do is get in the habit of right-clicking on email attachments to scan for malware before opening them. Hackers know that teachers are often the recipients of student schoolwork sent via email, and so they hijack students’ identities.

Here are additional technical tips to help mitigate ransomware attacks:

+ Create a backup for your data, preferably one with high security. Bear in mind that the providers of this service are not created equal. In the best-case scenario, a quality provider will be able to recover your data quickly and easily. A poor service provider offers no such benefits.

+ Implement multi-factor authentication. This requires multiple credentials to log in to an account, reducing the chance of a bad actor stealing a password and accessing the system.

+ If you haven’t already, implement patching to fix security vulnerabilities in software. Be aware that once patches are released, hackers can reverse engineer the update to figure out the glitch and exploit it in systems that aren’t patched quickly enough. So make sure to patch and update all software as soon as possible or set automatic updates.

+ Conduct daily scans on all systems. The sooner you can identify an attack, the sooner you can eliminate it. Attackers often probe a system with a minor attack. If it isn’t detected and repulsed, then the next attack can be crippling.

+ Phish your own people. It’s crucial to train users how to recognize phishing attacks, the source of most ransomware attacks. Schools should send fake phishing emails and see who clicks on the malicious links. This identifies weak human links in your chain and also educates the entire school community about how to detect phishing attacks.

What school administrators should never do is fall into the trap of thinking that the purchase of a particular service can protect their school community. It doesn’t exist. As the aforementioned tips illustrate, protecting school districts is a complicated endeavor and continually shifting.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Hackers & Threats

hackers & threats ransomware phishing

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs