Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:15 PM
Connect Directly

Ransomware Strikes 49 School Districts & Colleges in 2019

The education sector has seen 10 new victims in the past nine days alone, underscoring a consistent trend throughout 2019.

Education is a hot target for ransomware: Nearly 50 school districts and colleges have been hit in 2019 so far, and more than 500 individual K-12 schools have potentially been compromised.

Cloud security firm Armor has been tracking publicly disclosed ransomware attacks since January 2019. Of the 182 total victim organizations this year, 49 have been educational institutions. This makes education the second-largest pool of victims by industry, following municipalities at 70 victims, and ahead of third-place healthcare, which reported 27 victims.

Ransomware "creates a sense of urgency," says Chris Hinkley, head of Armor's Threat Resistance Unit (TRU). In schools, municipalities, and other public-facing institutions with infrastructure critical to their communities, the pressure to stay up and running after an incident is high. Criminals know they can't afford to shut down — and may be more likely to pay up. Whether a school pays depends on its backups, breadth of impact, and number of networks affected.

"When those organizations are down, especially a school, you're losing out on a lot of money, but you're also impacting a huge amount of people: teachers, administrators, and most importantly, the students," he adds. When New York's Monroe-Woodbury Central School District was hit with ransomware this month, it was forced to delay the start of its school year. The district won't have access to computers, Wi-Fi, or smart boards until recovery is complete.

Many government organizations, especially schools, are "going to be behind the curve, relatively speaking," when it comes to new and protective technologies, says Hinkley. They likely will run older operating systems or fall behind on patching, simply because they lack the manpower and expertise needed to stay current. The prevalence of vulnerable software and infrastructure in education makes it easier for attackers to get onto schools' infrastructure.

Victim schools and districts span the United States, TRU reports: The most recent victim districts were in Missouri, Pennsylvania, Ohio, Nebraska, Illinois, and Florida. Connecticut has the highest concentration of ransomware targets, with seven districts and up to 104 schools potentially affected.

"Most of the victims, I believe, are targets of opportunity," says Hinkley. An attacker may have known and contacted a student, for example, or found a vulnerability on the school's network. It's still unknown how many of these intruders planted ransomware in targets' environments.

Back-to-School Shopping
Crowder College of Neosho, Missouri, reported a ransomware attack on September 11. Investigators found evidence indicating the attacker had been inside the school's systems since November 2018.

While it has not been confirmed how Crowder's intruder gained access, Hinkley suggests they could have purchased both the malware and/or the unauthorized access on the black market. "It's something we're seeing a lot of," he says.

Researchers who produced Armor's "Black Market Report" found ransomware sold on the Dark Web as a standalone product, as well as ransomware-as-a-service, making it easy for novices to jump into the game. Many sellers of ransomware-as-a-service do the work: They provide the malware and a panel for the customer to enter a ransom message; it then generates a unique wallet address for each victim. The buyer simply has to get it onto their target system of choice.

"It's removing a lot of the technical expertise that was previously required to carry out one of these attacks," Hinkley says. Cybercriminals also sell credentials to Remote Desktop Protocol servers, researchers found, and this is a common vector for multiple ransomware families.

Many of the attacks against districts and individual schools have used Ryuk ransomware, which is also commonly seen in campaigns against municipalities. It's typically proceeded by Emotet and TrickBot Trojans, which lay the foundation for networkwide compromise, TRU reports. Hinkley points out that the ransomware of choice usually depends on the deployment: Some ransomware is meant to be distributed by attackers inside the target infrastructure, he says; some is meant to be executed via social engineering techniques on the part of the end user.

Ransom Is Rising
The security industry has long pushed back against paying ransomware operators, with fear of motivating further attacks. Unfortunately, some schools are left with no other choice. New York's Rockville Center School District recently paid $88,000 following a ransomware campaign.

Demands are getting higher: The attacker who hit Crowder College demanded $1.6 million in ransom; it's not confirmed whether the school plans to pay. Monroe College in New York, which was hit with ransomware in July, received a $2 million ransom demand — the first million-dollar ransom TRU saw for an educational institution before Crowder was attacked later in the year.

Hinkley hypothesizes the rise in ransom demands could be linked to cyber insurance, as the financial risk of an attack is off-loaded onto a third party. While cyber insurance was not created for ransomware, this appears to be one of the more prominent uses for insurance coverage.

Homework for Schools and Districts
The top preparation and recovery step that schools should take is creating multiple backups of their critical data, applications, and application platforms. It's not enough to simply back up the data, Hinkley points out; schools should also be testing their backups to ensure they're ready to go.

"I've also seen organizations that have had robust backup plans but they didn't test them, so the backup didn't restructure," he explains. "Testing those backups is equally as important." Schools should also practice detection and response mechanisms to recover from an incident.

On top of that, Hinkley advises strong vulnerability management: Understand the assets in your infrastructure and what impact they have on the organization, and manage software updates.

Training is also essential. Software and hardware aside, schools are an easy target because of the people. Hundreds of kids are using machines and likely have a more relaxed approach to cybersecurity because they simply don't know any better. Educating everyone — students, teachers, administrators — is essential for protecting a school from the effects of ransomware.

Related Content:


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The 20 Worst Metrics in Cybersecurity."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.