Recently, schools throughout the U.S. have endured delays in reopening after experiencing massive ransomware attacks that force the shutdown of critical information technology systems.

Take Hartford, Conn. public schools for instance, where city officials were forced to postpone the first day of school set for Tuesday, Sept. 8, after a ransomware virus caused an outage of critical systems. As reported by local news, the City's critical systems were damaged over the weekend and restoration of the systems is still not complete. Hartford Public Schools has approximately 300 servers and more than 200 were attacked in the ransomware virus attack.

Hartford Mayor Luke Bronin stated that the cyberattacker gained access to the systems on Thursday and then on Saturday, the virus actually attacked the systems and the IT team worked through the weekend to access and restore the affected systems. Now the IT team is going system by system and server by server to restore the systems, Bronin added. This ransomware attack was the most extensive and significant attack in the last five years in the city, according to the mayor.

The Clark County School District, a school district that serves all of Clark County, Nevada, including the cities of Las Vegas, Henderson, North Las Vegas, and Boulder Cit, was also hit by a ransomware attack during the first week of school. 

According to a report by the K-12 Cybersecurity Resource Center, The State of K-12 Cybersecurity: 2019 Year in Review, public K-12 education agencies across the country experienced a total of 348 cybersecurity incidents during calendar year 2019. This is nearly 3 times as many incidents as were publicly-disclosed during 2018. Many of these incidents were significant, resulting in the theft of millions of taxpayer dollars, stolen identities, and the denial of access to school technology and IT systems for weeks or longer. 

With the surge of technology use for teaching, learning and continuing school operations in today’s remote environment, schools have become even more vulnerable to cyberattacks. These recent cybersecurity incidents only highlight the need for continuous vigilance as school staff, students, and parents adjust to remote learning. 

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, believes there is a parallel to be made between the pandemic and COVID-19 spreading and cybersecurity in schools. "The conventional wisdom for COVID-19 is that until infection rates in an area are generally low, opening schools is that area is likely to result in outbreaks. Comprehensive testing is accepted as the means of establishing what the prevalence of infection in each area," says Tavakoli. "Cybersecurity is not unlike COVID-19. There is a certain prevalence of infected machines in the community. But we have no comprehensive testing regimen to establish the baseline levels of infection across student machines. And we are choosing (in lieu of physically bringing students together) to interconnect a bunch of machines (with unknown prevalence of infection) together via a variety of methods (video conferencing, shared docs, emails with attachments, etc.) which weren’t used in the past. Simple lesson: when interconnecting communities for the first time without knowing the prevalence of infection in said community, you will periodically get exponential growth in outbreaks.”

Mark Rogan, DAST Manager, Vulnerability Verification Europe, at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, “Schools are in an unprecedented time in which many of their resources must be available online. This increases the threat of allowing resources / connections to be abused by Remote Code Execution or Application Code Execution. Many of these vulnerabilities have CVEs associated, so it is vital all systems check any vulnerabilities associated with the frameworks they have in place as well as more nuanced attacks that may not have a specific CVE such as SQLi, XSS & CSRF.”

Chester Wisniewski, Principal Research Scientist at Sophos, warns that as ransomware gangs continue to increase the sophistication of their attacks, we are likely to continue to see targets being more strategically selected to maximize impact of their disruption. "Hitting schools at the start of the school year certainly applies additional pressure to get back online, and we may see similar targeting around election day or the upcoming Christmas shopping holidays. It is heartening to hear that Hartford is not negotiating with the criminals behind this, and we hope this sets a new standard moving forward for others to follow.”

Ransomware threats are a pervasive threat that organizations face, notes Melody J. Kaufmman, cyber security specialist.

"The only effective means of dealing with ransomware is to implement proactive controls. A rigorously adhered to patch management schedule makes organizations harder targets. Hackers look for low-hanging fruit and frequently target well known exploitable vulnerabilities, which often have manufacturer patches," adds Kaufmman. "Combined with basic system hardening such as implementing the benchmarks outlined by the Center for Internet Security (CIS) (https://learn.cisecurity.org/benchmarks) strengthens security decreasing bad actors’ opportunities to gain the elevated privilege that allows ransomware to take hold. Securing the end-user through effective training creates a first-line of defense from security’s weakest link, the human element. End-users that understand the danger of opening questionable links, emails, and attachments avoid taking these risky actions thus thwarting ransomware attacks."