As Classes Resume, Schools Face Ransomware RiskWhy School Districts, Universities Are Prime Targets
Cybersecurity professionals expect a spike in ransomware attacks against school districts and universities this fall as new hybrid learning environments go online and unpatched equipment that has spent months in the homes of students and faculty is reconnected to school networks.
See Also: Healthcare Sector Threat Brief
Schools were in the crosshairs of cybercriminals before COVID-19 shut down classes across the country in March. While there was a dip in attacks as instruction moved online, ransomware incidents have become more common in recent weeks, says Doug Levin president of EdTech Strategies and the K-12 Cybersecurity Resource Center.
"We're definitely starting to see an uptick in ransomware affecting schools. We've already seen at least three school districts that have delayed the opening of school," Levin tells Information Security Media Group.
So far this year, 45 school districts and universities have been hit with ransomware, compared to 89 in 2019, according to Brett Callow, a threat analyst with the security firm Emsisoft.
Among the most recent incidents, the Haywood County, North Carolina school district was hit by a ransomware attack Monday. A North Carolina National Guard cybersecurity unit is helping with the forensic investigation, according to WLOS TV.
In another recent incident, the University of Utah paid a $457,000 ransom to avoid having stolen data disclosed by hackers (see: University of Utah Pays Ransom to Avoid Data Disclosure).
More Attacks Expected
Levin and Callow expect ransomware attacks on schools to surge when some computer equipment returns to the classroom and offices.
Many devices were quickly purchased at the start of the pandemic and then sent home with students, faculty and staff, operating outside the protective walls of a school's network. Some of these devices may have been infected with malware while being used at home, and this malicious code could activate once these devices are linked to schools' IT networks, security experts say. Hiding in a system for months is a standard ransomware attack tactic, Levin says.
The new hybrid learning environment - with a mix of classroom and home-based education - being put in place at schools and universities is creating additional attack points, says Shimon Oren, vice president of research and deep learning at the security firm Deep Instinct.
"Since a lot of this access was from home networks and home machines, schools didn't, and don't, have any way of protecting those devices," Oren says. "A student or staff member can now be targeted by a successful attack while working from home. This new attack pathway enables the attacker to silently access the network and cause vast amounts of damage before the school’s security team even notices."
Another issue that makes schools vulnerable during this time of year is that faculty and staff coming back to work have a backlog of emails, and, in a rush to get through them, they may click on malicious links and attachments.
Plus, cybercriminals will use COVID-19 and the upcoming election as social engineering tools to trick teachers and staff into opening and clicking on phishing emails, security experts predict.
School Districts Distracted
Before the pandemic, many school districts were improving their ability to deal with ransomware attacks, according to security pros. But today, many school IT departments face long to-do lists, with cybersecurity not necessarily a top priority.
IT teams have been working on creating the remote environment and adding end points to their networks - and cybersecurity has taken a back seat, Levin says.
"Exacerbating the situation, educational institutions are stretched to cover their security needs under normal circumstances,” Oren says. “Now it is even worse with students and staff scattered remotely outside the network. Attackers appear to be aware of this vulnerability and aren't hesitating to manipulate the situation to coerce schools to pay high ransom amounts to resume normalcy.”
At many educational institutions, money that had been earmarked for cybersecurity was spent on more pressing issues, Levin says, such as buying laptops finding hotspots so students could get online.
Schools have found that any federal stimulus funding they received has been insufficient, he says. “And they're also now looking at a declining tax base because the economy has slowed down, which means … budgets are going to go down.”
Craig Williams, director of the Cisco Talos Security Intelligence and Research Group, points out that schools can turn to certain free technology options during the budget crunch.
For example, the cloud-based email system Google Classrooms offers a way for students to communicate that's relatively secure and allows for controlled access, Williams says.
Faced with the persistent threat of ransomware, however, school districts and universities need to have end point protection as well as immutable and encrypted backups, Oren stresses. And they need to ensure software is patched – especially systems with distributed access.
Paying the Ransom
Some academic institutions hit by ransomware, including the University of Utah, have chosen to pay a ransom in hopes of quickly restoring access to data and avoiding leaks.
"I have anecdotally heard of school districts paying thousands if not millions of dollars," Levin says, noting that many of these cases have never been publicized.
"Any [sector] that pays the ransom will be a more attractive target for adversaries," Levin says.