Public Schools and Ransomware

Across the US, principals have been coming to work to find systems down. Fraudsters are using ransomware to steal data, lock systems and hold schools to ransom. Increasingly, schools appear to be at the top of the target list. A combination of sensitive data and weak defenses make them the most tempting of targets.

Furthermore, with resources tight and expertise lacking, improving those defenses is difficult.

Rising attacks

Cyberattacks have been rising across the board throughout the pandemic. However, the biggest threat comes from ransomware. At the end of last year, a joint security alert emerged from the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), drawing attention to the growing percentage of cyberattacks targeting public schools.

According to their data, between August and September 57% of ransomware incidents reported to the Multi-State Sharing and Information Analysis Center (MS-ISAC) involved K-12 (kindergarten to 12th grade) schools, compared to 28% in the period from January through to July.[1]

Ransomware often operates with a twin pronged approach of shutting down systems and threatening to release data on the dark web. According to the FBI, ‘cyber actors likely view schools as targets of opportunity.’

These institutions process vital customer data and serve a crucial function. Bringing a halt to school systems creates widespread social disruption.

Take for example, the attack against Iowa schools in October 2020, which saw 9GB of data exposed after a distributed denial of service attack. The attack shut down systems, causing widespread disruption to virtual learning. Other attacks followed thick and fast. There was the recent attack against Des Moines Area Community College which interrupted online courses for more than a week; or the attack against one of the nation’s largest school districts in Florida. A criminal gang encrypted its data and demanded a staggering $40mn in ransom or it would erase the files and publish the personal data.

For the most part, these attacks come from organized criminal gangs, many of which are well known to the FBI. These gangs can often be found lurking in countries such as Russia or China, which do not have extradition treaties with the US and are often happy to turn a blind eye to attacks as long as their national interests are not impacted. Some ransomware software has safeguards put in place to deactivate if they detect languages such as Russian to avoid harming the interests of their protectors.

In many cases, states may be content to allow attacks against its geopolitical rivals proceed unfettered, especially as attacks increasingly appear to focus on elements which can create considerable economic and social disruption.

From corporations to education

The shift in focus towards schools stems from a variety of factors. Many criminal gangs have deployed effective attacks against corporate systems, especially the financial sector. However, as the cost of ransomware has grown, businesses have invested in security. As their defenses become more robust, criminals have turned their attention elsewhere — seeking out high value but less well defended targets.

Schools fit the bill perfectly. In general, the education sector lags behind corporations when it comes to cybersecurity. Federal school budgets are stretched thin, making it difficult to invest in the necessary cybersecurity measures. Resources are insufficient — both in terms of technology and personnel. Partly because of a lack of awareness of the issue, and a basic lack of capacity, many schools lack personnel with the expertise to maintain effective defenses.

Moreover, a single attack against a district could often compromise the systems of multiple schools across the region. As networks are often distributed with little coordination between departments, building and maintaining an effective cybersecurity strategy — across an entire network — can be extremely challenging.

The problem has become even more severe thanks to the pandemic. With the need to transition towards remote rather than in-person learning, teaching has further increased the system’s reliance on digital technology. The pandemic has forced schools to adopt the capacity to offer remote schooling at short notice, making it difficult to put adequate security measures in place.

According to the World Economic Forum, the changes to our lifestyles brought about by COVID-19 mean that a global cyber pandemic is ‘inevitable’. In a more digitally connected world, a cyber pandemic could potentially spread much faster and cause even more economic damage than the virus itself.

Data rich targets

Weak defenses make schools soft targets, but it’s the data they hold and their importance to society that place them at the top of the cybercriminal’s list of targets. Breaches have locked systems, causing widespread interruption to learning and creating more problems for already overstretched parents.

They’ve exfiltrated sensitive data including tax details, test scores, academic histories and other sensitive personal information belonging to staff and pupils. The importance of operations and the sensitivity of information create — in the eyes of the criminals — a compelling case for schools to pay ransom.

Some do. In June, the University of California San Francisco paid out $1.14mn after a month-long standoff with hackers. The criminals had initially demanded $3mn. The university countered with an offer of $780,000. While negotiations continued, experts had wrestled with the infection, desperately seeking to protect systems.

They are not alone. According to data from antivirus software Kaspersky, around half (56%) of ransomware victims agree to pay a ransom.[2] The FBI officially advises against paying a ransom. Not only does it encourage hackers and send a message that your institution is likely to pay, there is no guarantee the hackers will honor their agreement. Around 17% of those companies which agreed to pay a ransom saw their money wasted.

In other cases the criminals have shown little interest in negotiating. Consider, for example, the ridiculously high demand of $4mn from the school board in Florida. Such a figure is much higher than any educational institution could ever hope to pay. In many cases, a ransom may not be the goal. Hackers may be more interested in selling the data or have non-financial political goals in mind. It’s this latter possibility that is pushing attacks against school up the national security agenda.

Building defenses

Fighting back against school cyberattacks is an issue of growing national importance and, while it may be more difficult for schools to defend themselves than a better resourced corporation, there are things which can be done. One option lies in the cloud. The growing use of the cloud is a double-edged sword for cybersecurity. On the one hand, placing more information in the digital realm increases exposure to third party risks and creates opportunities for hackers.

On the other hand, it can also build resilience. When the systems of Rockwell Schools District were hacked earlier this year, the fact that many of their operations were cloud-based helped minimize disruption.

Speaking to the Patriot Ledger, Superintendent Alan Cron said, “We're a very cloud-based district and our cloud-based services have not been interrupted.” Operations such as payroll were handled remotely, while schools using Google’s operating system downloaded onto Chromebooks were not affected by the hack. Although he said teachers had to get creative in the classroom, classes were able to continue.

As yet, he said, the attack did not have a cost associated with it, although many of the schools’ computers may have to have their hard drives wiped and operating systems reinstalled.    

Much also depends on the speed of response. There is a wide variance between those schools which identify attacks early and respond quickly, and those which spotted problems late and were slow to respond. A quick response can isolate the damage to a few computers which can prevent spread across a network.

For this, schools should invest in security information and event management (SIEM) processes. These constantly monitor systems, detecting anomalies and flagging potential threats at the earliest possible stage. Alerts can pinpoint a problem, allowing remedial action at the very earliest stage. They can also help teams when analyzing the source of an attack to identify areas for future improvement.

Meanwhile, redundancy measures can ensure data is backed up and stored somewhere safe to prevent its loss to hackers. Keeping multiple copies of data offsite or in the cloud limits the damage hackers can do, and may prove a lifeline in the event of an attack.

Into the future

Ultimately, schools must recognize two important truths:

·         Attacks are not going away anytime soon.

·         Hackers go after soft targets.

The reason why schools have become such popular targets for cybercriminals is that they represent softer options. Anything schools can do to make themselves as difficult to breach as possible will encourage the criminals to go elsewhere in search of easier prey.

However, whatever actions schools take, the threat is likely to continue to grow. The increasing reliance on digital technology has dramatically increased the exposure of education institutions to cybercrime of all kinds, and schools are no different. As tight as budgets may be, investment in cybersecurity is critical.  

There is help on the way. President Biden’s cybersecurity executive order pledges to build the government’s defenses against cyberattacks, including in schools. IBM also recently announced grants worth $3mn to US schools in the form of in kind services to help schools reduce their exposure to cybercrime.

Cybersecurity is rising up the national agenda. Schools are investing heavily in programs, technology and training to build their capacity. It’s a never ending game of cat and mouse in which every advance in defense is countered by the attackers. By investing in cybersecurity and giving it the importance it deserves, schools can reduce the risks of an attack and the damage done when it happens. 

Sources:

1. Zdnet.com: CISA and FBI Warn of Rise in Ransomware.

2. Kapersky.com: Over Half of Victims Pay Ransomware. 

‍