Any state with a vibrant economy — and schools — should be considered big targets for ransomware attackers.

Dave Gast, Senior Threat Researcher, Intrusion Inc.

September 7, 2021

3 Min Read

It’s almost football season and that means welcome back to in-person class … maybe? It’s a hot topic, politically sensitive, pro-vax vs. anti-vax, children K-12, woke universities, still sleeping universities, hybrid, blended, you name it; when you talk about education and the education system in the US, you’re talking about a cesspool of issues from A-Z, and 1-2-3 to infinity! What a prime, easy cherry-picking environment for hackers, data thieves, and ransomware artists.

To land the current job I now have, back in late May I was challenged to identify what I thought would be the top-five ransomware attacks for 2021. Here's the essence of how I answered.

Conti is Kaspersky’s second-highest ranking ransomware group that hunts corporate targets as of April 2021 and is coming to a school near you. Ransomware threat actors using Conti demanded $40 million recently in a school hack where the school agreed to pay $500,000. Conti is still very much active. 

We’ll address this from an attacker’s extremely simplified target development process approach. Let’s pick on a school district in the US that if plucked out of its home city, would equate to the seventh largest city in the state of Texas. It boasts an incredibly hot housing market and property taxes in the district have steadily climbed for the past 10 years. It is home to 11 high schools, each with at least two feeder middle schools and at least three to five feeder elementary schools. The district’s superintendent salary was last reported over $300,000. Imagine the number of teachers and support staff it takes to run the district and you just established your phishing email target footprint.

As with most ransomware campaigns, the tactic is probably more of a spray-and-pray attack at the district’s nearly 13,000 email addresses. You need just one to click on the link and provide a way in. Before we go too far, let’s also consider the attacker’s psyche. What better statement can there be than to take down a school district of this proportion in the new Cyber City, USA’s (aka San Antonio, Texas) own backyard?

This school district is not alone. Any state with highly populated, or maybe overpopulated, school districts with ultra-hot housing markets and historically and steadily climbing property tax rates should be considered wide-open bank vaults for ransomware attackers.

That was then, and together with the rest of that paper I earned the job. Skip ahead to August 2021, when I was considering how to tackle this article, and what do I see? More references to the fact that 2020 was a record year for attacks against education entities. Imagine that in the age of COVID when a large percentage of schools K-12 and beyond were locked down and in virtual classes only.

The bottom line for citizens, educators, parents, students, staff, and IT pros who support these institutions, is that there are things you can do:

1. Read and heed CISA’s Back to School Campaign and take its recommendations seriously.

2. Consider carefully how you implement your free, school-provided Wi-Fi and who you allow to use it.

3. Of course, all the basics of network hygiene, routine accounting, and auditing of IT devices and provided services are essential as we bring back everyone and everything to campus.

4. And lastly, be ready for everything. Although Conti is currently experiencing some customer relation issues (bad guys mad at bad guys), don’t think they and the thousands of other ransomware cybercriminals aren’t coming for you. Assume they’re already in and waiting.

It’s going to be an exciting year. Come fall, we'll have football, apple cider, and homecomings. I believe we’ll overcome the idea of lockdowns regardless of the circumstance and methods, and we’ll have a closer-to-normal school year. Unfortunately, I stick by my fearless prediction: Hackers 72 – Schools 14.

About the Author(s)

Dave Gast

Senior Threat Researcher, Intrusion Inc.

Dave is currently the Senior Threat Researcher with Intrusion Inc. Dave is a military veteran of 26 years with a background in Intelligence, Surveillance & Reconnaissance & Cyber. He then served 10 years as a Cyber Intelligence Analyst and Planner as a government contractor. Dave holds a bachelor’s in business management and is PMP, CEH, SEC+ & ITIL 4 certified and has taught PMP, SEC+ and ITIL 4.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights