Schools in the Baltimore County Public Schools (BCPS) system are closed Nov. 30 and Dec. 1 as officials investigate and remediate a ransomware attack that hit its network systems the day before Thanksgiving, pausing classes for some 115,000 students attending school online due to the pandemic.
Officials have not shared many details about how the attack started; however, a Baltimore Sun report indicates a school board meeting video stream was cut short Tuesday evening. Social media posts show teachers began to notice problems while entering grades later that night.
Some teachers said their files have a .ryuk extension on them, the report states, indicating Ryuk ransomware may be involved. Officials have not confirmed the presence of Ryuk, a type of ransomware that has grown prevalent this year and counts hospitals, local governments, and oil and gas facilities among its targets. There has been no confirmation of a ransom demand.
An investigation is underway. BCPS officials are reportedly working with state and federal law enforcement, as well as the Maryland Emergency Management Agency, to address the incident. County police have also communicated with the FBI Baltimore field office.
In the meantime, classes are on hold as the attack reportedly affected the BCPS website, email system, and grading system, officials say. Offices will stay open and staff will receive updates.
"Our focus today and for Monday and Tuesday is identifying and addressing student and staff device needs so that instruction can continue," BCPS officials wrote in a Nov. 29 tweet.
BCPS-issued Chromebooks were not affected in the attack, the officials report; students and staff may safely use these devices and Google accounts. However, officials request they do not use BCPS-issued Windows-based devices (HP Revolves or Probooks) until further notice.
Security Gaps Reported Days Before Attack
Days before the incident, Maryland state auditors found many security holes in the Baltimore County Public Schools' computer network.
The Office of Legislative Audits reports the BCPS internal network had 26 publicly accessible servers and intrusion detection prevention system coverage "did not exist" for untrusted encrypted traffic entering the network. Further, auditors say, BCPS network resources were not protected from improper access from students using wireless and high school computer labs.
"These publicly accessible servers, if compromised, could expose the internal network to attack from external sources," the audit report states. Auditors advise the school system to relocate all publicly accessible servers to a separate protected network zone to limit security exposures.
While it's unclear whether these weaknesses are connected to this incident, it's clear how the audit's findings could put the school system at risk. Several problems identified in the report could be used for initial compromise or for uninterrupted communication after the attacker breaks in.
"The audit found that the school system had no way of detecting or logging the kind of communications typically associated with ransomware [command-and-control] systems, and that servers inside the network had public Internet addresses with insufficient firewall protection," says Sean Gallagher, senior threat researcher with Sophos. These issues could have enabled an attacker to establish a foothold and send commands to spread across the network.
Ransomware Operators Take Aim at Schools
This attack is one of many targeting educational institutions this year as cybercriminals take advantage of the broad shift to remote learning. Millions of students and teachers are logging on to school networks to take classes and complete assignments, and many of them use devices and systems riddled with vulnerabilities that could create an ideal attack vector.
In the past 30 days, the education sector was hit with 62.9% of all reported enterprise malware encounters, Microsoft data shows. This puts education far ahead of the second most popular target industry, business and professional services (9.31%).
Back in April, the FBI's Internet Crime Complaint Center (IC3) warned online education and remote work platforms of an increase in cyberattacks driven by a dependence on virtual tools linked to the COVID-19 pandemic. Over the summer, Louisiana governor John Bel Edwards declared a state of emergency after a series of cyberattacks against school districts in the state. Alabama's Houston County was hit in August; Virginia's Fairfax County was attacked in September.
Schools are especially vulnerable because, in addition to this expanded attack surface, their IT operations are usually underfunded, Gallagher points out. While the lack of resources leaves them exposed, many school districts have cyber insurance that will pay the ransom, increasing the likelihood of an incident.
"The attackers are not necessarily targeting the organizations based on their business model, but based on their vulnerability," he adds.
Security experts believe we'll continue to see ransomware operators target schools continue with remote learning, a shift that has made schools around the county "an even bigger target of opportunity than before as the stakes are higher and worth more money," says LogRhythm CSO James Carder. "If the technology is taken down, the business is completely stopped."
Carder strongly advises school districts to adopt a proactive approach to cybersecurity and enable network infrastructure to block malicious access attempts. Security pros also suggest creating a crisis plan and integrating cybersecurity and data protection protocols as a way to simplify the process of detecting attacks and recovering systems and data if they're infected.