Now ransomware is inundating public school systems

Almost every American adult knows that cyberattacks and breaches are ubiquitous and have primarily targeted companies and government entities. They might even know that the single most common breach these days is ransomware, a malicious process by which hackers dismantle computer systems and don’t fix them until a ransom is paid.

Few, however, are aware that ransomware is targeting a new set of highly vulnerable victims en masse. In recent months, the majority of successful ransomware attacks have struck K-12 schools nationwide, casting a whole new light on the number of Americans highly susceptible to a cyberattack.

We’re not talking about the victimization of tens of thousands of corporate employees, as bad as that is. Rather, we’re talking about tens of millions of Americans – young students, along with teachers and administrators – now also at significant risk of coping with the unraveling of their daily lives.

The pain in school systems is piling up. Over the last 14 months, the majority of K-12 students and teachers were forced to embrace remote online learning, which turned out to be relatively ineffective. Many parents believe their children fundamentally lost a year of learning. Now students are returning to the classroom, yet their education is being diminished yet again.

According to the FBI, cybercriminals are hitting schools with malevolent tools and tactics they initially found to be effective against businesses. The ZeuS Trojan, for instance, is malware that targets Microsoft Windows machines running on school computers and not only freezes systems but sends stolen personal data back to criminals’ servers, where it’s also held hostage or sold on the dark web.

The upshot: Last August and September, the latest data available, the FBI reported that 57% of reported ransomware incidents involved K-12 schools – more than twice the number of school ransomware attacks reported in the earlier months of 2020. At least 44 ransomware attacks have already occurred against public school districts in 2021, according to cybersecurity company Recorded Future.

In the past few weeks alone, 7,500 students in Haverhill, Mass., an exurb of Boston, became victims of ransomware. Shortly before that, Broward County public schools in south Florida – the nation’s sixth-largest school district – were threatened with the release of sensitive student, teacher and employee personal data unless that district paid a whopping $40 million ransom. Over the last 16 months, other successful ransomware attacks targeting K-12 school systems have occurred in Huntsville, Ala.; Baltimore; Fairfax County, Va.; Hartford, Conn.; and Fort Worth, Texas, among other geographic areas. And many schools don’t even bother reporting attacks.

“I’m not at all surprised by these attacks,” says Karim Hijazi, the founder and CEO of Prevailion, a Texas-based cybersecurity firm. “School systems don’t have the technology to be really secure, and that makes them a very attractive target.”

Until recently, hospitals and other patient care facilities had generally been the single biggest ransomware target. They have been eclipsed by schools in large part because bigger and more affluent hospitals have been ramping up their IT departments and creating more secure backup sites, undermining the odds of a successful strike.

It’s a different world for school systems. Most use a less expensive educational version of Microsoft Windows, which is less secure, and typically must make do with aging computer architecture. And even when they do back up data, they’re usually backing it up onsite or at a facility directly connected to the school system, leaving backups vulnerable to a lockdown as well.

According to a report by IBM, 60% of teachers say they have received no additional security training during the pandemic - and half no cybersecurity training whatsoever. More than a third of K-12 administrators said their school districts employ just one to three IT staffers in total. The undeniable upshot: While ransomware proceeds from attacks against schools are relatively small, the chances of a successful attack are extremely high.

The most common modus operandi in targeting schools with ransomware attack is to focus on relatively affluent markets, which accommodate schools with bigger budgets. Hackers get guidance by checking out U.S. Census data, freely available online.

What can schools do to protect themselves?

The best thing would be to back up school systems in the cloud. This requires more security funds but isn’t overly expensive. It would, however, require more IT talent.

A lesser but still worthwhile step would be to train teachers, in particular, to get in the habit of right-clicking on email attachments to scan for malware before opening them. Hackers know that teachers are often the recipients of student schoolwork sent via email. So they hijack student identities.

Assuming that school systems can find the wherewithal to boost security budgets, here are some additional steps that should be somewhat helpful:

Focus on awareness and training. Students, as well as teachers and other school employees, need to be better educated about phishing scams and ransomware attacks and how they’re delivered. The more they know, the more cautious they could become.
Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
Monitor privacy settings and information available on social networking sites.
Patch operating systems, software and firmware as manufacturers release updates. This way, you’re relying on your systems to do more of the security work.
Regularly change passwords to network systems and accounts. Also avoid reusing passwords for different accounts.
Audit logs to ensure new accounts are legitimate.
Audit users’ accounts with administrative privileges and configure access controls with the minimum user privilege possible.

To be sure, escaping the ransomware morass is not an easy endeavor. Some schools and other entities simply pay the ransom and sometimes don’t report the attack. But payments, in particular, are highly risky. According to a study by SentinelOne, a Silicon Valley-based global cybersecurity company, 45% of U.S. companies hit with a ransomware attack paid the hackers for relief, but only 26% of those had their files unlocked.

As the hospital sector has begun to make clear, better security is the only real answer to ransomware. The payment of bribes, by contrast, is a waste of money and time.

Situational awareness should be at the forefront of your security program. It can mean the difference between life and death in a workplace emergency.

Security’s digital transformation is now entering stage 5. Complex security technologies are connected to HR systems, global security operations centers, and other building technologies in a world where employees now work in two places: home and the corporate office.