Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/16/2019
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ransomware 'Crisis' in US Schools: More Than 1,000 Hit So Far in 2019

Meanwhile, the mayor of the city of New Orleans says no ransom money demands were made as her city struggles to recover from a major ransomware attack launched last week.

Ransomware attacks have continued pummeling US schools, with 11 new school districts 226 schools hit since October, while major US cities such as New Orleans and Pensacola gradually recover from attacks this month.

New data due to be published today by security firm Armor shows a total of 72 US school districts or individual educational institutions so far have suffered ransomware attacks this year, which means the number of victimized schools could be at 1,040 to date. Even more unnerving: 11 of those school districts some 226 schools have been attacked just since late October.

Those are only the school districts whose ransomware attacks have gone public, and Armor expects the victim head count to rise. Among the 11 school districts hit most recently, just one said it had paid a ransom Port Neches-Groves Independent School District in Port Neches, Texas but it has not disclosed publicly the ransom amount. Three of the recent victim school districts Wood County in Parkersburg, West Virginia; Penn-Harris-Madison in Mishawaka, Indiana; and Claremont Unified School District in Claremont, California — announced they have no plans to pay the ransomware. The remaining seven districts have not shared their plans publicly.

School systems are just behind municipalities when it comes to ransomware attacks, according to Armor's findings: Cities and municipalities still are the No. 1 victim, with some 82 this year suffering attacks. Healthcare organizations are the third-most hit, with 44 cases this year, and managed service providers and cloud-based providers next in line, with 18 cases, according to the report.

New Orleans, which was hit Friday morning, December 13, by what some security experts say may have been the infamous Ryuk strain of ransomware that has been on a tear this year, today still was operating on a manual basis for many of its services after the city took most of its key services offline and has been in the process of cleaning up and investigating some 4,000 computers in its response to the attack. In a local television interview today posted on the City of New Orleans Twitter page, Mayor Latoya Cantrell said there was no "official ask" of ransom and that the city is in recovery mode and had been preparing for such an attack. She said she's not sure if it's related to the attack that hit the state in July, and led to the Louisiana Gov. John Bel Edwards declaring a state of emergency.

Kim LaGrue, the city's CISO, told news site NOLA.com that the attack appears to have begun with a phishing email, the site reported. The city's police department is currently unable to run background checks for citizens, and for now is documenting law enforcement incidents manually.

Pensacola reportedly faces a $1 million ransom demand, and city officials are investigating how to handle the ransom response, The Associated Press reported. No official word from the city yet on the strain of malware involved, but some experts reportedly are pointing to the possibility of Maze ransomware.

"With schools, municipalities, and healthcare, the common threat is a very low tolerance for any kind of downtime," says Chris Hinkley, who heads up Armor's Threat Resistance Unit (TRU) team. "They are all very tech-dependent, and also serve a lot of people, in most cases with taxpayer money. So there's a sense of urgency. ... Attackers have clued into that and it translates into a higher probability of payment."

These organizations also often lack security resources and funding to build out strong security infrastructures. Even so, attackers are finding them not only easy to dupe into responding to their phishing lures but also to infect via vulnerable systems that don't have sufficient detection and prevention layers. What ends up getting them to cough up ransom in some cases is public pressure to get back up and running quickly.

While attackers targeting a less lucrative organization such as a public entity rather than a corporate one may sound counterintuitive, Hinkley says it actually makes sense when it comes to the probability of a ransom payment. "At the end of the day, these [victims] are going to find the money if it means having their data or back or not. You can't teach these kids if you lose funding, and if you can't process taxes or issue driver's licenses, or whatever, you're going to find the money."

And the goal of ransomware, of course, is to get paid and hopefully get rich. "The common threat is how much money can we make in the shortest amount of time" and maximize profits, he says.

Security firm Emsisoft calls this wave of ransomware attacks a "crisis" situation. The security firm posted its own data over the weekend, noting that some 948 government agencies, educational institutions, and healthcare organizations in the US have suffered ransomware attacks this year, resulting in some $7.5 billion in costs. In the education sector, it counted 86 universities, colleges, and school districts affected, or some 1,224 schools. Healthcare was No. 1 victim in Emsisoft's list, with 759 victims, followed by federal, state, and municipal governments with 103 victim agencies.

Interestingly, Armor's report shows that some school districts now carry cyber insurance policies to help ease the financial burdens of a ransomware attack.

While cyber insurance can provide a cushion for victims, the downside is that it also encourages the attackers who get emboldened by ransom payments, Hinkley notes. "And now they have more funds to go and attack another target," he says.

Emsisoft in a recent blog posts argues for governments to curb ransom payments. "While a blanket ban may not be practical, government should certainly consider legislating to prevent public agencies paying ransoms when other recovery options are available to them. While this may increase costs initially, it would be less expensive in the longer term," the company, which is based in New Zealand, said in its post. "It seems bizarrely inconsistent that the U.S. government has a no-concessions policy in relation to human ransoms but places no restrictions whatsoever on data ransoms."

John Carlin, chair of Morrison and Foerster's Global Risk and Crisis Management Group, notes that no-pay policies should become standard practice. "It is a difficult decision, but continuing to pay causes the criminal market to surge and will just lead to more attacks," he says. "If that becomes the policy though, we should support state and localities with additional federal funding and assistance to ensure the best protection against ransomware: resilient systems."

He says insurers also could provide incentives for "resilience" to ransomware attacks.

Microsoft, meanwhile, also discourages paying ransom. "The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored," said Ola Peters, senior cybersecurity consultant with the Microsoft Detection and Response Team, in a new post about ransomware payments.

Schooled by Ransomware
Parkersburg, West Virginia-based Wood County Schools has no plans to pay ransom for an attack that hit the district on November 7, even though it has a cyber insurance policy that could cover some of the costs. Teachers and administrators couldn't access files, voice-over-IP phones were down, and the school's automated door system failed to open and close properly.

In Texas, Port Neches-Groves Independent School District decided to pay up an undisclosed ransom to get its files back after a November 12 attack. The school also has cyber insurance. Claremont, California's school district lost its email and Internet services during a November 21 attack that required all computers to be remediated in the system, and left the district without Internet services as of early December.

Ransomware attackers encrypted a server containing sensitive employee information at Maine's School Administrative District #6 in Buxton, and it was unclear if the attackers actually pilfered the information as well Social Security numbers, birth dates, mailing addresses, banking information, and income information.

Other recently hit school districts include Livingston New Jersey School District; Sycamore School District 427 in DeKalb, Illinois; Lincoln County in Brookhaven, Mississippi; San Bernardino City Unified School District in San Bernardino, California; and Las Cruces Public Schools in Las Cruces, New Mexico.

School or municipality size doesn't matter to the attackers, who sometimes are piggybacking off of cloud application or service providers they've infiltrated, experts note. "We've seen very big and small cities attacked," Hinkley notes.

The usual best practices for thwarting ransomware include the requisite offline data backups, whitelisting, behavior monitoring, endpoint protection, and security awareness training and establishing an internal culture of security, according to Armor.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19338
PUBLISHED: 2020-07-13
A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is ...
CVE-2020-11749
PUBLISHED: 2020-07-13
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2.
CVE-2020-5766
PUBLISHED: 2020-07-13
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SRS Simple Hits Counter Plugin for WordPress 1.0.3 and 1.0.4 allows a remote, unauthenticated attacker to determine the value of database fields.
CVE-2020-15689
PUBLISHED: 2020-07-13
Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, mishandles an HTTP request with a Range header that lacks an exact range. This may result in a NULL pointer dereference and cause a denial of service.
CVE-2019-4591
PUBLISHED: 2020-07-13
IBM Maximo Asset Management 7.6.0 and 7.6.1 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 167451.