The Worst Lesson

Ransomware attacks are forcing schools to rethink their cybersecurity playbooks

• By Michael Mayes
• April 14, 2020

During the week of Jan. 6, the Panama-Buena Vista Union School District, located in Bakersfield, CA, became the first school system in 2020 to publicly report they had been hit by a ransomware attack. The district, with 19 elementary schools, four junior high schools and one alternative school, was hit by an undisclosed strain of ransomware, according to local news reports. Superintendent Kevin Silberberg said the district’s phone system and IT network had suffered “a very aggressive ransomware attack,” disrupting phone systems and preventing students and staff from checking grades online or responding to email.

The attack on Panama-Buena Vista Union is just the latest in an academic year that has seen a spike in ransomware attacks across the United States. Before classes even started in the fall, 46 school districts were hit by ransomware between January and August 2019. Once September arrived, another 31 school districts fell victim to file and data-locking malware. In all, 77 U.S. educational organizations representing over 1,133 individual schools – and serving more than 10,000 students – suffered ransomware attacks last year.

Sadly, the lesson school administrators are learning is that educational institutions are desirable targets for ransomware threat actors because they not only host sensitive personal identifiable information (PII) about students and staff, but when schools fail to function properly, it is very disruptive to the community. The cybercriminals also know that often these entities don’t have sufficient cybersecurity protections in place.

“The attackers know that the services these organizations provide are critical to their communities, and they also know that schools are typically more vulnerable to security attacks because of their limited budgets and lack of IT staff,” said Chris Hinkley, Armor’s head of the Threat Resistance Unit (TRU) research team. “This combination can give the threat actors a tremendous advantage over their victims because they know these entities cannot afford to shut down and are often more likely to pay the ransom.”

In September alone, just as back-to-school efforts were underway, 11 school districts discovered ransomware, forcing several to delay the first day of classes. Flagstaff Unified School District in Arizona and Monroe- Woodbury Central School District in Orange County, N.Y. both delayed classes for several days. Other schools simply resorted to taking attendance on paper and teaching class without technology until systems were restored. While delayed only a few days in most cases, it was a difficult way to start a new year and did little to build confidence among parents.

Richmond Community Schools in Michigan and Pittsburg Unified School District in California both reported in January that malware had infected their networks over the holiday winter break. Richmond Community Schools extended the break while officials addressed the attack. Pittsburg Superintendent Janet Schulze posted a statement on Facebook that their schools would “be teaching and learning like ‘back in the day,’ without laptops and Internet.”

While this was the response from several school districts this academic year when faced with a ransomware infection – to literally go “old school” – these attacks are more than just a nuisance. They also damage the trust of parents in the communities where they occur and can create difficult budgeting decisions for already cash-strapped districts.

Just show the stark difference in the number of ransomware attacks which occurred within the education sector in 2018 as compared to 2019. According to the K-12 Cybersecurity Resource Center, K-12 schools experienced 119 cyber incidents in 2018. Among those 119 incidents, only 9.76 percent (11) were attributed to ransomware.

Ransomware attacks have definitely become much more prolific in the past 12 months, and security defenders believe one reason is because the attacks have become more targeted and, as a result, more lucrative. While many of the ransomware attacks launched prior to FY2019 consisted of the spray-and-pray variety, the hackers seem to have discovered new techniques and strategies whereby they are going after larger and more sensitive targets.

These targets include businesses and public entities which are naturally sensitive to negative incidents that affect business continuity, revenue, public confidence and safety. In addition to educational institutions, other victim industry sectors include municipalities (89), healthcare organizations (47) and managed service providers (MSPs)/cloudbased service providers (20).

What’s more, the adoption of cyber insurance and what appears to be an increase in ransom payouts may be fueling attacks. A number of high-profile ransom payments, whether paid by the victim organization or by their cyber insurance policy, occurred in 2019. Sixteen U.S. organizations publicly reported paying a ransom last year, one of which was the Rockville Centre School District on Long Island, which paid $88,000 to ransomware hackers. In all, 16 total victims publicly reported paying about $2.3 million total to hackers last year.

Hinkley believes many more payouts have been made, but have not been disclosed due to concern over optics. Until last year, most ransomware payments rarely topped six-figure status unless demanded of large corporate entities. Crowder College in Neosha, Missouri saw a $1.6 million ransom demand in July 2019 following an attack, while hackers that seized the files of Monroe College in New York demanded $2 million. The largest ransom demand of the year was asked of Virtual Care Provider, Inc., a Milwaukee-owned network of 110 nursing homes and acute care facilities. Hackers demanded $14 million in bitcoin to release their critical patient files.

Most ransomware before 2019 focused on encrypting data rather than stealing it for later use. Unfortunately, the threat actors behind ransomware families such as Sodin, Maze and Ako have begun stealing data, threatening to release victims’ data publicly in the event they refuse to pay.

What should schools do to protect themselves from ransomware attacks? School Chief Information Security Officers (CISOs) and IT managers should absolutely implement offline, backup procedures and keep those backups air-gapped from the internet and password protected.

Officials should also patch and update their software frequently and consider investing in additional security layers such as endpoint protection, file integrity monitoring and IP reputation monitoring. Most importantly, educational institutions should conduct continuous security awareness training with school administrators and teachers to reduce the number of infections through phishing and spear phishing campaigns.

The one lesson everyone should learn is that these ransomware attacks are pervasive and are more than just mere class disruptions. Security and IT administrators of school districts should include ransomware protection at the top of their curriculum for the rest of the academic year.

This article originally appeared in the March April 2020 issue of Campus Security Today.