The Worst Lesson
Ransomware attacks are forcing schools to rethink their cybersecurity playbooks
- By Michael Mayes
- April 14, 2020
During the week of Jan. 6, the Panama-Buena Vista
Union School District, located in Bakersfield, CA,
became the first school system in 2020 to publicly
report they had been hit by a ransomware attack.
The district, with 19 elementary schools, four junior
high schools and one alternative school, was hit by an undisclosed
strain of ransomware, according to local news reports. Superintendent
Kevin Silberberg said the district’s phone system and IT network
had suffered “a very aggressive ransomware attack,” disrupting phone
systems and preventing students and staff from checking grades
online or responding to email.
The attack on Panama-Buena Vista Union is just the latest in an
academic year that has seen a spike in ransomware attacks across the
United States. Before classes even started in the fall, 46 school districts
were hit by ransomware between January and August 2019.
Once September arrived, another 31 school districts fell victim to file
and data-locking malware. In all, 77 U.S. educational organizations
representing over 1,133 individual schools – and serving more than
10,000 students – suffered ransomware attacks last year.
Sadly, the lesson school administrators are learning is that educational
institutions are desirable targets for ransomware threat actors
because they not only host sensitive personal identifiable information
(PII) about students and staff, but when schools fail to function
properly, it is very disruptive to the community. The cybercriminals
also know that often these entities don’t have sufficient cybersecurity
protections in place.
“The attackers know that the services
these organizations provide are critical to
their communities, and they also know that
schools are typically more vulnerable to
security attacks because of their limited budgets
and lack of IT staff,” said Chris Hinkley,
Armor’s head of the Threat Resistance Unit
(TRU) research team. “This combination can
give the threat actors a tremendous advantage
over their victims because they know
these entities cannot afford to shut down and
are often more likely to pay the ransom.”
In September alone, just as back-to-school
efforts were underway, 11 school districts
discovered ransomware, forcing several to
delay the first day of classes. Flagstaff Unified
School District in Arizona and Monroe-
Woodbury Central School District in Orange
County, N.Y. both delayed classes for several
days. Other schools simply resorted to taking
attendance on paper and teaching class without
technology until systems were restored.
While delayed only a few days in most cases,
it was a difficult way to start a new year and
did little to build confidence among parents.
Richmond Community Schools in Michigan
and Pittsburg Unified School District in
California both reported in January that
malware had infected their networks over
the holiday winter break. Richmond Community
Schools extended the break while
officials addressed the attack. Pittsburg
Superintendent Janet Schulze posted a statement
on Facebook that their schools would
“be teaching and learning like ‘back in the
day,’ without laptops and Internet.”
While this was the response from several
school districts this academic year when faced
with a ransomware infection – to literally go
“old school” – these attacks are more than just
a nuisance. They also damage the trust of parents
in the communities where they occur and
can create difficult budgeting decisions for
already cash-strapped districts.
Just show the stark difference in the number
of ransomware attacks which occurred
within the education sector in 2018 as compared
to 2019. According to the K-12 Cybersecurity
Resource Center, K-12 schools
experienced 119 cyber incidents in 2018.
Among those 119 incidents, only 9.76 percent
(11) were attributed to ransomware.
Ransomware attacks have definitely
become much more prolific in the past 12
months, and security defenders believe one
reason is because the attacks have become
more targeted and, as a result, more lucrative.
While many of the ransomware attacks
launched prior to FY2019 consisted of the
spray-and-pray variety, the hackers seem to
have discovered new techniques and strategies
whereby they are going after larger and
more sensitive targets.
These targets include businesses and public
entities which are naturally sensitive to
negative incidents that affect business continuity,
revenue, public confidence and safety.
In addition to educational institutions, other
victim industry sectors include municipalities
(89), healthcare organizations (47) and
managed service providers (MSPs)/cloudbased
service providers (20).
What’s more, the adoption of cyber insurance
and what appears to be an increase in
ransom payouts may be fueling attacks. A
number of high-profile ransom payments,
whether paid by the victim organization or
by their cyber insurance policy, occurred in
2019. Sixteen U.S. organizations publicly
reported paying a ransom last year, one of
which was the Rockville Centre School District
on Long Island, which paid $88,000 to
ransomware hackers. In all, 16 total victims
publicly reported paying about $2.3 million
total to hackers last year.
Hinkley believes many more payouts have
been made, but have not been disclosed due
to concern over optics. Until last year, most
ransomware payments rarely topped six-figure
status unless demanded of large corporate
entities. Crowder College in Neosha,
Missouri saw a $1.6 million ransom demand
in July 2019 following an attack, while hackers
that seized the files of Monroe College in
New York demanded $2 million. The largest
ransom demand of the year was asked of Virtual
Care Provider, Inc., a Milwaukee-owned
network of 110 nursing homes and acute care
facilities. Hackers demanded $14 million in
bitcoin to release their critical patient files.
Most ransomware before 2019 focused on
encrypting data rather than stealing it for
later use. Unfortunately, the threat actors
behind ransomware families such as Sodin,
Maze and Ako have begun stealing data,
threatening to release victims’ data publicly
in the event they refuse to pay.
What should schools do to protect themselves
from ransomware attacks? School
Chief Information Security Officers (CISOs)
and IT managers should absolutely implement
offline, backup procedures and keep
those backups air-gapped from the internet
and password protected.
Officials should also patch and update
their software frequently and consider investing
in additional security layers such as endpoint
protection, file integrity monitoring
and IP reputation monitoring. Most importantly,
educational institutions should conduct
continuous security awareness training
with school administrators and teachers to
reduce the number of infections through
phishing and spear phishing campaigns.
The one lesson everyone should learn is
that these ransomware attacks are pervasive
and are more than just mere class disruptions.
Security and IT administrators of
school districts should include ransomware
protection at the top of their curriculum for
the rest of the academic year.
This article originally appeared in the March April 2020 issue of Campus Security & Life Safety.