Ransomware attacks have continued pummeling US schools, with 11 new school districts — 226 schools — hit since October, while major US cities such as New Orleans and Pensacola gradually recover from attacks this month.
New data due to be published today by security firm Armor shows a total of 72 US school districts or individual educational institutions so far have suffered ransomware attacks this year, which means the number of victimized schools could be at 1,040 to date. Even more unnerving: 11 of those school districts — some 226 schools — have been attacked just since late October.
Those are only the school districts whose ransomware attacks have gone public, and Armor expects the victim head count to rise. Among the 11 school districts hit most recently, just one said it had paid a ransom — Port Neches-Groves Independent School District in Port Neches, Texas — but it has not disclosed publicly the ransom amount. Three of the recent victim school districts — Wood County in Parkersburg, West Virginia; Penn-Harris-Madison in Mishawaka, Indiana; and Claremont Unified School District in Claremont, California — announced they have no plans to pay the ransomware. The remaining seven districts have not shared their plans publicly.
School systems are just behind municipalities when it comes to ransomware attacks, according to Armor's findings: Cities and municipalities still are the No. 1 victim, with some 82 this year suffering attacks. Healthcare organizations are the third-most hit, with 44 cases this year, and managed service providers and cloud-based providers next in line, with 18 cases, according to the report.
New Orleans, which was hit Friday morning, December 13, by what some security experts say may have been the infamous Ryuk strain of ransomware that has been on a tear this year, today still was operating on a manual basis for many of its services after the city took most of its key services offline and has been in the process of cleaning up and investigating some 4,000 computers in its response to the attack. In a local television interview today posted on the City of New Orleans Twitter page, Mayor Latoya Cantrell said there was no "official ask" of ransom and that the city is in recovery mode and had been preparing for such an attack. She said she's not sure if it's related to the attack that hit the state in July, and led to the Louisiana Gov. John Bel Edwards declaring a state of emergency.
Kim LaGrue, the city's CISO, told news site NOLA.com that the attack appears to have begun with a phishing email, the site reported. The city's police department is currently unable to run background checks for citizens, and for now is documenting law enforcement incidents manually.
Pensacola reportedly faces a $1 million ransom demand, and city officials are investigating how to handle the ransom response, The Associated Press reported. No official word from the city yet on the strain of malware involved, but some experts reportedly are pointing to the possibility of Maze ransomware.
"With schools, municipalities, and healthcare, the common threat is a very low tolerance for any kind of downtime," says Chris Hinkley, who heads up Armor's Threat Resistance Unit (TRU) team. "They are all very tech-dependent, and also serve a lot of people, in most cases with taxpayer money. So there's a sense of urgency. ... Attackers have clued into that and it translates into a higher probability of payment."
These organizations also often lack security resources and funding to build out strong security infrastructures. Even so, attackers are finding them not only easy to dupe into responding to their phishing lures but also to infect via vulnerable systems that don't have sufficient detection and prevention layers. What ends up getting them to cough up ransom in some cases is public pressure to get back up and running quickly.
While attackers targeting a less lucrative organization such as a public entity rather than a corporate one may sound counterintuitive, Hinkley says it actually makes sense when it comes to the probability of a ransom payment. "At the end of the day, these [victims] are going to find the money if it means having their data or back or not. You can't teach these kids if you lose funding, and if you can't process taxes or issue driver's licenses, or whatever, you're going to find the money."
And the goal of ransomware, of course, is to get paid and hopefully get rich. "The common threat is how much money can we make in the shortest amount of time" and maximize profits, he says.
Security firm Emsisoft calls this wave of ransomware attacks a "crisis" situation. The security firm posted its own data over the weekend, noting that some 948 government agencies, educational institutions, and healthcare organizations in the US have suffered ransomware attacks this year, resulting in some $7.5 billion in costs. In the education sector, it counted 86 universities, colleges, and school districts affected, or some 1,224 schools. Healthcare was No. 1 victim in Emsisoft's list, with 759 victims, followed by federal, state, and municipal governments with 103 victim agencies.
Interestingly, Armor's report shows that some school districts now carry cyber insurance policies to help ease the financial burdens of a ransomware attack.
While cyber insurance can provide a cushion for victims, the downside is that it also encourages the attackers who get emboldened by ransom payments, Hinkley notes. "And now they have more funds to go and attack another target," he says.
Emsisoft in a recent blog posts argues for governments to curb ransom payments. "While a blanket ban may not be practical, government should certainly consider legislating to prevent public agencies paying ransoms when other recovery options are available to them. While this may increase costs initially, it would be less expensive in the longer term," the company, which is based in New Zealand, said in its post. "It seems bizarrely inconsistent that the U.S. government has a no-concessions policy in relation to human ransoms but places no restrictions whatsoever on data ransoms."
John Carlin, chair of Morrison and Foerster's Global Risk and Crisis Management Group, notes that no-pay policies should become standard practice. "It is a difficult decision, but continuing to pay causes the criminal market to surge and will just lead to more attacks," he says. "If that becomes the policy though, we should support state and localities with additional federal funding and assistance to ensure the best protection against ransomware: resilient systems."
He says insurers also could provide incentives for "resilience" to ransomware attacks.
Microsoft, meanwhile, also discourages paying ransom. "The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored," said Ola Peters, senior cybersecurity consultant with the Microsoft Detection and Response Team, in a new post about ransomware payments.
Schooled by Ransomware
Parkersburg, West Virginia-based Wood County Schools has no plans to pay ransom for an attack that hit the district on November 7, even though it has a cyber insurance policy that could cover some of the costs. Teachers and administrators couldn't access files, voice-over-IP phones were down, and the school's automated door system failed to open and close properly.
In Texas, Port Neches-Groves Independent School District decided to pay up an undisclosed ransom to get its files back after a November 12 attack. The school also has cyber insurance. Claremont, California's school district lost its email and Internet services during a November 21 attack that required all computers to be remediated in the system, and left the district without Internet services as of early December.
Ransomware attackers encrypted a server containing sensitive employee information at Maine's School Administrative District #6 in Buxton, and it was unclear if the attackers actually pilfered the information as well — Social Security numbers, birth dates, mailing addresses, banking information, and income information.
Other recently hit school districts include Livingston New Jersey School District; Sycamore School District 427 in DeKalb, Illinois; Lincoln County in Brookhaven, Mississippi; San Bernardino City Unified School District in San Bernardino, California; and Las Cruces Public Schools in Las Cruces, New Mexico.
School or municipality size doesn't matter to the attackers, who sometimes are piggybacking off of cloud application or service providers they've infiltrated, experts note. "We've seen very big and small cities attacked," Hinkley notes.
The usual best practices for thwarting ransomware include the requisite offline data backups, whitelisting, behavior monitoring, endpoint protection, and security awareness training and establishing an internal culture of security, according to Armor.