School reopenings — already bogged down by concerns over the COVID-19 pandemic — are being further complicated by targeted ransomware and denial-of-service attacks.
This week, Hartford Public Schools (HPS) in Connecticut became the latest to announce a ransomware attack that in its case forced school reopening to be delayed by one day. School officials said multiple critical systems had been knocked offline by the attack, including one used to communicate transportation routes to the district's bus company. That prevented the district's ability to operate schools on Tuesday as scheduled, HPS said.
Multiple other school districts have reported similar incidents in recent days. On Tuesday, the Clark County School District in Las Vegas said some of its systems had been infected with ransomware on Aug. 27. The incident impacted systems containing current and former employee data, according to the school district.
Last month, Hayward County Schools in North Carolina was forced to discontinue online classes for students for several days — including opening day — following a ransomware attack. More than a week after the intrusion, many services remained unavailable, and school officials warned that restoration work could take several weeks. They later announced the attack had also resulted in sensitive data potentially belonging to employees and students being compromised in the incident. Similarly, school reopening at Oklahoma's Ponca City School system was delayed by a week last month after a ransomware attack crippled the district's ability to deliver online classes.
The flurry of ransomware attacks — like almost every other cyber threat over the past several months — is being driven by the hasty switch to remote learning triggered by the COVID-19 pandemic. School systems, which even before the pandemic had to contend with tight IT budgets, have just not had the time or resources to implement defenses for countering new cyber threats tied to the pandemic, security experts say.
"[The pandemic] has forced the use of many technologies the schools have never used before. Most of the services and systems making remote learning are completely brand new to them," says W. Curtis Preston, chief technical evangelist at Druva. "So the already existent problems presented by underfunding and the ability to only deliver basic IT services have increased by an order of magnitude in light of the pandemic."
Scott Gordon, chief marketing officer at Pulse Secure, likens the heightened threat that schools face to the increased threat that most organizations in general have experienced in the past several months. He points to a recent study conducted by Pulse that showed 80% of organizations have experienced greater malware issues with the recent expansion of remote computing.
"The move to a digital classroom mimics the increase in threats that other industries are coping [with] as they enable a hybrid and flexible workplace," Gordon says.
According to Gordon, while many schools have defenses aligned to monitor, protect, and prepare for recovery of their critical assets, others don't because of budget and resource considerations. As a result, "remote access exposures have grown due to vulnerable endpoints, phishing, and at-risk connectivity," he notes.
The surge in attacks on schools is not entirely unexpected. A study that Armor conducted back in April showed at least 284 entities across 17 school districts and colleges were hit in ransomware attacks between Jan. 1 and April 8 alone. At the time, the security vendor had predicted an increase in such attacks in the following months. A previous Armor study found over 1,000 schools were hit in ransomware attacks last year.
Druva's Preston says the attacks heighten the need for better data backup practices at schools.
"The one thing they all must do is to back up anything they are doing to a system that separates backups from any attacks," he says.
The DDoS Threat
Ransomware is not the only concern that schools face as they prepare for an academic year where most courses will be delivered online. Distributed denial-of-service (DDoS) attacks are another major concern. According to security vendor Kaspersky, DDoS attacks targeting schools and other educational institutions surged between 350% and 500% each month between February and June 2020 compared with the same period last year.
"For the last half a year, we have seen the number of attacks on educational and government resources grow faster than on other kind of resources," says Alexander Gutnikov, a DDoS expert at Kaspersky.
So far, at least most of the attacks on these organizations have been politically motivated or plain acts of hooliganism, he says. But that could soon change as well.
Late last month, the FBI warned about criminals claiming to belong to the Russia-based Fancy Bear cyber espionage group conducting ransom DoS attacks on financial institutions and organizations in other sectors. In many of the attacks — which started last month — the threat actors have asked targeted organizations to pay a demanded ransom amount within one week or face the prospect of a major DoS attack. Most of those targeted in these attacks did not report any additional activity after the deadline passed, or they successfully mitigated the threat, the FBI said.
There is some concern that similar attacks could be directed at school systems, which are far less prepared to deal with DoS attacks than financial organizations.
Barrett Lyon, CEO of security vendor Netography, says the rushed move to remote learning and the comparative lack of preparedness among schools to deal with related cyber threats has left many vulnerable to cyberattack.
"Schools are sitting ducks" for cybercriminals, he says. Because any attack that disrupts a school's ability to deliver classes online would be chaotic in present circumstances, criminals know it is easy to shake them down, Barrett says.
Significantly, it's not just criminals who schools need to contend with. Almost anyone — including students — who wants to disrupt online course delivery are a threat, he says.
One example is a 16-year-old student in Florida who launched eight DDoS attacks on networks belonging to the Miami-Dade Public Schools system. The August attacks were designed to overwhelm the school district network and disrupt its ability to deliver classes online. Florida law-enforcement authorities arrested the student earlier this month and charged him with a third-degree felony count and a second-degree misdemeanor charge.
Barrett says he expects such attacks will continue.
"A lot of schools are not equipped to deal even with basic DDoS attacks," he says.