The education sector is experiencing a spate of cyberattacks. In 2018, there were 122 cyber incidents targeting Public K-12 schools, of which 11 involved ransomware. In July, 2019, there were ransomware attacks against school districts in New Mexico, Connecticut and New York state. Malicious actors also penetrated school networks in Nevada, Louisiana and Alabama, causing disruption and in one case, delaying the start of the school year. Ransomware and phishing are serious issues confronting schools and school system administrators as well as their IT departments.
Schools and school systems present an inviting target for cyber attackers. There are two primary reasons for this. Educational institutions typically lack the budget and personnel to implement robust cybersecurity countermeasures. With limited IT resources, they may be unable to keep up with patch management and comparable maintenance processes that keep systems safe from exploits.
School systems also have money. This may not feel true, given how cash-strapped most districts are, but hackers understand that school systems are caught in a bind: they have to deliver educational services to students (often with state and federal penalties for failing to be in session a certain number of days a year). Faced with penalties (and irate parents), they may opt to pay a ransom rather than shut down until they can restore their systems. Not all cities pay, however. Attackers in a recent Texas ransomware episode will not be getting paid.
The attacks on schools are part of a bigger picture. Ransomware attacks against government targets have escalated in recent years. City governments in Atlanta and Baltimore were both paralyzed by ransomware last year. As of today, a remarkable attack is unfolding in Texas, where 23 small municipalities have been taken down by what is thought to be a single ransomware attacker. Like schools, small city governments have rich personal data on citizens and are under pressure to deliver services. They have money, usually not a lot, but enough to attract attackers. They may also have cyber insurance they can use to pay ransoms.
Ransomware and Its Increase in Targeting School Districts
Ransomware is a hacking technique that involves encrypting the target’s data and demanding a ransom (paid in cryptocurrency like Bitcoin) in exchange for de-encrypting it. For the attacker to succeed, he or she must gain access to the school system’s network, servers and databases. Apparently, it’s not hard to hack a school, as was revealed at this year’s Def Con hacker conference.
At the conference, an 18-year-old student/hacker named Bill Demirkapi revealed multiple vulnerabilities in software used at his school. These included exploitable vulnerabilities in Blackboard's Community Engagement software and Follett's Student Information System. Demirkapi demonstrated that he could conduct SQL injection and XML inclusion attacks that would enable him to steal personally identifiable information or even modify his grades.
Notable recent examples of ransomware attacks affecting school districts include:
- Louisiana schools – Three school districts in this state were struck by a ransomware attacker in July, 2019. The attack crippled several phone and IT systems. The Governor activated its emergency cybersecurity powers (created for just this kind of incident) This move makes it possible for the state to bring in the National Guard along with cyber experts and law enforcement. The schools lost all of their current data, but claim that no personal data was exposed.
- Columbia Falls School District – The Columbia Falls, Georgia, district was attacked and threatened with a data lockup unless the hackers received $150,000. The attack featured strange, violent statements that at first were not understood to be part of a hacking attack - along with the threat to expose student names, addresses and grades.
- Syracuse – Syracuse, New York city schools experienced a ransomware attack that locked down one of their computer systems. The district paid the ransom, part of which was covered by insurance. However, even after paying, they were still locked out of their servers even after they paid.
- Gadsen school district in New Mexico – this district lost its email server to ransomware the day before school started.
- New Haven public schools – Systems were compromised in this Connecticut city’s school systems. However, the IT department was able to restore critical functions.
SamSam and WannaCry
SamSam and WannaCry are two of the most common and potent threat vectors for ransomware attacks. They both exploit unpatched systems. SamSam is dedicated ransomware software. It’s not available on dark web “stores” for common use like tools like Locky and others. SamSam is manually deployed on the target’s networks. It can lurk undetected inside networks for months. WannaCry, a worm, is automated. Both encrypt data on systems they infect.
Phishing Attacks on School Districts
A phishing attack involves tricking the recipient of an email to download malware, visit a fraudulent website or open a file containing malware. Spear phishing, a variant on the attack method, personalizes the attack, making it seem as if an email is coming from a friend or colleague. Both have the same effect.
School districts are vulnerable to phishing attacks. One reason is that employees may have low levels of awareness of phishing dangers. Also, district employees may not find it strange to get a PDF or Word document sent by an unknown person. "It could be from a parent of a student," they might think, so they open the document and then…problems. Phishing attacks can also have the victims filling out forms on fraudulent websites that lead to invoice and payments to entities that look legitimate but are in fact criminal enterprises.
Keith R. Krueger, chief executive of the Consortium for School Networking, a group that represents school technology employees, described the phishing risk exposure in the New York Times by noting, “Cyberattacks on school districts and other organizations begin when an employee — perhaps someone in the financial office, where a lot of sensitive information is stored — opens an email that appears to have come from a supervisor or even the district superintendent, but in fact carries malware that compromises the employee’s computer and the district’s network.”
Recent examples of phishing attacks against educational institutions include:
- Spotsylvania Schools – the phishing attackers posed as contractors to the district and were able defraud Spotsylvania, Virginia schools of over $600,000. Law enforcement has been able to recover about half the money.
- Lancaster University – this college experienced a data breach that began with a phishing attack. Attackers accessed college application data and send fraudulent invoices to applicants.
Mitigating the Risks of Ransomware and Phishing
What can be done about these risks for school systems? Dire as the situation may seem, there are a number of steps educational institutions can take to become more secure in the face of ransomware and phishing threats. These fall into the following categories:
While resources may be limited, it’s wise to allocate as much as possible to installing anti-malware, firewall and endpoint protection software. Other best practices include:
- Implement a strong password policy and enforce password rotation. Prohibit password reuse
- Regularly back up data to unconnected sites. If the district’s data is off-site or on a cloud server that requires different log in credentials from the main network, there will be the potential to restore data that has been locked up.
- Patch as much as possible.
- Lock down remote desktop and remote admin tools.
- Implement anti-ransomware protection. There are specific packages for this purpose.
- Install anti-phishing filter software and/or phishing detection tools
Training and awareness
This is more relevant to phishing than ransomware, though the two attack techniques are often linked. Training employees to avoid opening emails from unknown sources (or strange looking attachments) can avert the worst of phishing attacks. Awareness of impersonation (aka “social engineering”) can also reduce the potential impact of attempts to defraud the school system by online deception.
Working with service providers and advisors
Security consultants can help a school system establish best practices and infrastructure for stronger security. It need not be an ongoing engagement. An annual review and advisory session may be enough to establish a higher level of defense of digital assets. Another option that’s gaining traction in education is to work with a Managed Security Service Provider (MSSP). These third parties take on the hard work of monitoring networks and responding to security alerts. In some states, the state government itself provides MSSP services to smaller government entities.
Ransomware and phishing threats are serious and will likely continue until they are stopped by stronger security countermeasures. There is a lot at stake! Student and family privacy is at risk. Schools cannot fulfill their educational missions and state mandated requirements if their systems are locked up. Defense is possible, however. With a focus on cybersecurity basics, advisory from experienced third parties and perhaps reliance on MSSPs, schools and school districts can reduce their exposure to ransomware and phishing risks.