Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/20/2019
03:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ransomware Strikes 49 School Districts & Colleges in 2019

The education sector has seen 10 new victims in the past nine days alone, underscoring a consistent trend throughout 2019.

Education is a hot target for ransomware: Nearly 50 school districts and colleges have been hit in 2019 so far, and more than 500 individual K-12 schools have potentially been compromised.

Cloud security firm Armor has been tracking publicly disclosed ransomware attacks since January 2019. Of the 182 total victim organizations this year, 49 have been educational institutions. This makes education the second-largest pool of victims by industry, following municipalities at 70 victims, and ahead of third-place healthcare, which reported 27 victims.

Ransomware "creates a sense of urgency," says Chris Hinkley, head of Armor's Threat Resistance Unit (TRU). In schools, municipalities, and other public-facing institutions with infrastructure critical to their communities, the pressure to stay up and running after an incident is high. Criminals know they can't afford to shut down — and may be more likely to pay up. Whether a school pays depends on its backups, breadth of impact, and number of networks affected.

"When those organizations are down, especially a school, you're losing out on a lot of money, but you're also impacting a huge amount of people: teachers, administrators, and most importantly, the students," he adds. When New York's Monroe-Woodbury Central School District was hit with ransomware this month, it was forced to delay the start of its school year. The district won't have access to computers, Wi-Fi, or smart boards until recovery is complete.

Many government organizations, especially schools, are "going to be behind the curve, relatively speaking," when it comes to new and protective technologies, says Hinkley. They likely will run older operating systems or fall behind on patching, simply because they lack the manpower and expertise needed to stay current. The prevalence of vulnerable software and infrastructure in education makes it easier for attackers to get onto schools' infrastructure.

Victim schools and districts span the United States, TRU reports: The most recent victim districts were in Missouri, Pennsylvania, Ohio, Nebraska, Illinois, and Florida. Connecticut has the highest concentration of ransomware targets, with seven districts and up to 104 schools potentially affected.

"Most of the victims, I believe, are targets of opportunity," says Hinkley. An attacker may have known and contacted a student, for example, or found a vulnerability on the school's network. It's still unknown how many of these intruders planted ransomware in targets' environments.

Back-to-School Shopping
Crowder College of Neosho, Missouri, reported a ransomware attack on September 11. Investigators found evidence indicating the attacker had been inside the school's systems since November 2018.

While it has not been confirmed how Crowder's intruder gained access, Hinkley suggests they could have purchased both the malware and/or the unauthorized access on the black market. "It's something we're seeing a lot of," he says.

Researchers who produced Armor's "Black Market Report" found ransomware sold on the Dark Web as a standalone product, as well as ransomware-as-a-service, making it easy for novices to jump into the game. Many sellers of ransomware-as-a-service do the work: They provide the malware and a panel for the customer to enter a ransom message; it then generates a unique wallet address for each victim. The buyer simply has to get it onto their target system of choice.

"It's removing a lot of the technical expertise that was previously required to carry out one of these attacks," Hinkley says. Cybercriminals also sell credentials to Remote Desktop Protocol servers, researchers found, and this is a common vector for multiple ransomware families.

Many of the attacks against districts and individual schools have used Ryuk ransomware, which is also commonly seen in campaigns against municipalities. It's typically proceeded by Emotet and TrickBot Trojans, which lay the foundation for networkwide compromise, TRU reports. Hinkley points out that the ransomware of choice usually depends on the deployment: Some ransomware is meant to be distributed by attackers inside the target infrastructure, he says; some is meant to be executed via social engineering techniques on the part of the end user.

Ransom Is Rising
The security industry has long pushed back against paying ransomware operators, with fear of motivating further attacks. Unfortunately, some schools are left with no other choice. New York's Rockville Center School District recently paid $88,000 following a ransomware campaign.

Demands are getting higher: The attacker who hit Crowder College demanded $1.6 million in ransom; it's not confirmed whether the school plans to pay. Monroe College in New York, which was hit with ransomware in July, received a $2 million ransom demand — the first million-dollar ransom TRU saw for an educational institution before Crowder was attacked later in the year.

Hinkley hypothesizes the rise in ransom demands could be linked to cyber insurance, as the financial risk of an attack is off-loaded onto a third party. While cyber insurance was not created for ransomware, this appears to be one of the more prominent uses for insurance coverage.

Homework for Schools and Districts
The top preparation and recovery step that schools should take is creating multiple backups of their critical data, applications, and application platforms. It's not enough to simply back up the data, Hinkley points out; schools should also be testing their backups to ensure they're ready to go.

"I've also seen organizations that have had robust backup plans but they didn't test them, so the backup didn't restructure," he explains. "Testing those backups is equally as important." Schools should also practice detection and response mechanisms to recover from an incident.

On top of that, Hinkley advises strong vulnerability management: Understand the assets in your infrastructure and what impact they have on the organization, and manage software updates.

Training is also essential. Software and hardware aside, schools are an easy target because of the people. Hundreds of kids are using machines and likely have a more relaxed approach to cybersecurity because they simply don't know any better. Educating everyone — students, teachers, administrators — is essential for protecting a school from the effects of ransomware.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The 20 Worst Metrics in Cybersecurity."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4968
PUBLISHED: 2019-11-19
nginx http proxy module does not verify peer identity of https origin server which could facilitate man-in-the-middle attack (MITM)
CVE-2012-0824
PUBLISHED: 2019-11-19
gnusound 0.7.5 has format string issue
CVE-2012-0843
PUBLISHED: 2019-11-19
uzbl: Information disclosure via world-readable cookies storage file
CVE-2014-5439
PUBLISHED: 2019-11-19
sniffit 0.3.7 and prior: A configuration file can be leveraged to execute code as root
CVE-2011-4919
PUBLISHED: 2019-11-19
mpack 1.6 has information disclosure via eavesdropping on mails sent by other users