The Worst Lesson

The Worst Lesson

Ransomware attacks are forcing schools to rethink their cybersecurity playbooks

During the week of Jan. 6, the Panama-Buena Vista Union School District, located in Bakersfield, CA, became the first school system in 2020 to publicly report they had been hit by a ransomware attack. The district, with 19 elementary schools, four junior high schools and one alternative school, was hit by an undisclosed strain of ransomware, according to local news reports. Superintendent Kevin Silberberg said the district’s phone system and IT network had suffered “a very aggressive ransomware attack,” disrupting phone systems and preventing students and staff from checking grades online or responding to email.

The attack on Panama-Buena Vista Union is just the latest in an academic year that has seen a spike in ransomware attacks across the United States. Before classes even started in the fall, 46 school districts were hit by ransomware between January and August 2019. Once September arrived, another 31 school districts fell victim to file and data-locking malware. In all, 77 U.S. educational organizations representing over 1,133 individual schools – and serving more than 10,000 students – suffered ransomware attacks last year.

Sadly, the lesson school administrators are learning is that educational institutions are desirable targets for ransomware threat actors because they not only host sensitive personal identifiable information (PII) about students and staff, but when schools fail to function properly, it is very disruptive to the community. The cybercriminals also know that often these entities don’t have sufficient cybersecurity protections in place.

“The attackers know that the services these organizations provide are critical to their communities, and they also know that schools are typically more vulnerable to security attacks because of their limited budgets and lack of IT staff,” said Chris Hinkley, Armor’s head of the Threat Resistance Unit (TRU) research team. “This combination can give the threat actors a tremendous advantage over their victims because they know these entities cannot afford to shut down and are often more likely to pay the ransom.”

In September alone, just as back-to-school efforts were underway, 11 school districts discovered ransomware, forcing several to delay the first day of classes. Flagstaff Unified School District in Arizona and Monroe- Woodbury Central School District in Orange County, N.Y. both delayed classes for several days. Other schools simply resorted to taking attendance on paper and teaching class without technology until systems were restored. While delayed only a few days in most cases, it was a difficult way to start a new year and did little to build confidence among parents.

Richmond Community Schools in Michigan and Pittsburg Unified School District in California both reported in January that malware had infected their networks over the holiday winter break. Richmond Community Schools extended the break while officials addressed the attack. Pittsburg Superintendent Janet Schulze posted a statement on Facebook that their schools would “be teaching and learning like ‘back in the day,’ without laptops and Internet.”

While this was the response from several school districts this academic year when faced with a ransomware infection – to literally go “old school” – these attacks are more than just a nuisance. They also damage the trust of parents in the communities where they occur and can create difficult budgeting decisions for already cash-strapped districts.

Just show the stark difference in the number of ransomware attacks which occurred within the education sector in 2018 as compared to 2019. According to the K-12 Cybersecurity Resource Center, K-12 schools experienced 119 cyber incidents in 2018. Among those 119 incidents, only 9.76 percent (11) were attributed to ransomware.

Ransomware attacks have definitely become much more prolific in the past 12 months, and security defenders believe one reason is because the attacks have become more targeted and, as a result, more lucrative. While many of the ransomware attacks launched prior to FY2019 consisted of the spray-and-pray variety, the hackers seem to have discovered new techniques and strategies whereby they are going after larger and more sensitive targets.

These targets include businesses and public entities which are naturally sensitive to negative incidents that affect business continuity, revenue, public confidence and safety. In addition to educational institutions, other victim industry sectors include municipalities (89), healthcare organizations (47) and managed service providers (MSPs)/cloudbased service providers (20).

What’s more, the adoption of cyber insurance and what appears to be an increase in ransom payouts may be fueling attacks. A number of high-profile ransom payments, whether paid by the victim organization or by their cyber insurance policy, occurred in 2019. Sixteen U.S. organizations publicly reported paying a ransom last year, one of which was the Rockville Centre School District on Long Island, which paid $88,000 to ransomware hackers. In all, 16 total victims publicly reported paying about $2.3 million total to hackers last year.

Hinkley believes many more payouts have been made, but have not been disclosed due to concern over optics. Until last year, most ransomware payments rarely topped six-figure status unless demanded of large corporate entities. Crowder College in Neosha, Missouri saw a $1.6 million ransom demand in July 2019 following an attack, while hackers that seized the files of Monroe College in New York demanded $2 million. The largest ransom demand of the year was asked of Virtual Care Provider, Inc., a Milwaukee-owned network of 110 nursing homes and acute care facilities. Hackers demanded $14 million in bitcoin to release their critical patient files.

Most ransomware before 2019 focused on encrypting data rather than stealing it for later use. Unfortunately, the threat actors behind ransomware families such as Sodin, Maze and Ako have begun stealing data, threatening to release victims’ data publicly in the event they refuse to pay.

What should schools do to protect themselves from ransomware attacks? School Chief Information Security Officers (CISOs) and IT managers should absolutely implement offline, backup procedures and keep those backups air-gapped from the internet and password protected.

Officials should also patch and update their software frequently and consider investing in additional security layers such as endpoint protection, file integrity monitoring and IP reputation monitoring. Most importantly, educational institutions should conduct continuous security awareness training with school administrators and teachers to reduce the number of infections through phishing and spear phishing campaigns.

The one lesson everyone should learn is that these ransomware attacks are pervasive and are more than just mere class disruptions. Security and IT administrators of school districts should include ransomware protection at the top of their curriculum for the rest of the academic year.

This article originally appeared in the March April 2020 issue of Campus Security Today.

Featured

  • Black Hills State University Takes an Open, Scalable Approach to Video Security

    Black Hills State University recognized the need for a centralized video system to improve campus security and streamline operations. The university sought a solution that could unify its main campus with a satellite location, enable cross-department access, and scale with future growth. By implementing open platform video technology, BHSU laid the foundation for a comprehensive, flexible, and scalable security infrastructure. Read Now

  • Pennsylvania School Uses Locked, Rolling Security Grille to Control Spectators, Secure Building

    St. Jude School in Mountain Top, Pennsylvania, is a private Catholic elementary school that serves students from Pre-K through grade 8. Recognized as a Blue Ribbon School by the U.S. Department of Education, St. Jude offers diverse educational programs designed to foster a nurturing and challenging learning environment, and extracurricular activities like sports are an integral part of promoting teamwork, discipline, and physical fitness. Read Now

  • Fire-Rated Glazing Assemblies Modernize Academic and Social Hub

    In spring 2023, the University of Pittsburgh opened the doors to a seven-story west wing addition to Alan Magee Scaife Hall. The medical school building features several updated lecture halls, labs and classrooms. It also includes team-based learning and small group rooms as well as an entire floor dedicated to medical students. This floor is meant for students to congregate, study and build community. Read Now

  • Access Control Trends Continue to Strengthen School Safety Security

    Class period bells have been ringing across campuses for a few months now, but that doesn’t mean the subject of safety was fully settled before the start of the new school year. As one wise person once said, “It’s a journey, not a destination”. That’s why it remains a leading issue among administrators, faculty, students, and communities. Schools are striving to be at the top of their class when it comes to the ability to control access instantly and securely, monitor suspicious behavior accurately and consistently, and respond to threats immediately and effectively. Ultimately, they aim to provide a reassuring, comfortable, and conducive environment for a rich learning experience. These goals apply whether at a community college in Southern California, a major university in Pennsylvania, or a rural K-12 district in Michigan. Read Now