Education is a hot target for ransomware: Nearly 50 school districts and colleges have been hit in 2019 so far, and more than 500 individual K-12 schools have potentially been compromised.
Cloud security firm Armor has been tracking publicly disclosed ransomware attacks since January 2019. Of the 182 total victim organizations this year, 49 have been educational institutions. This makes education the second-largest pool of victims by industry, following municipalities at 70 victims, and ahead of third-place healthcare, which reported 27 victims.
Ransomware "creates a sense of urgency," says Chris Hinkley, head of Armor's Threat Resistance Unit (TRU). In schools, municipalities, and other public-facing institutions with infrastructure critical to their communities, the pressure to stay up and running after an incident is high. Criminals know they can't afford to shut down — and may be more likely to pay up. Whether a school pays depends on its backups, breadth of impact, and number of networks affected.
"When those organizations are down, especially a school, you're losing out on a lot of money, but you're also impacting a huge amount of people: teachers, administrators, and most importantly, the students," he adds. When New York's Monroe-Woodbury Central School District was hit with ransomware this month, it was forced to delay the start of its school year. The district won't have access to computers, Wi-Fi, or smart boards until recovery is complete.
Many government organizations, especially schools, are "going to be behind the curve, relatively speaking," when it comes to new and protective technologies, says Hinkley. They likely will run older operating systems or fall behind on patching, simply because they lack the manpower and expertise needed to stay current. The prevalence of vulnerable software and infrastructure in education makes it easier for attackers to get onto schools' infrastructure.
Victim schools and districts span the United States, TRU reports: The most recent victim districts were in Missouri, Pennsylvania, Ohio, Nebraska, Illinois, and Florida. Connecticut has the highest concentration of ransomware targets, with seven districts and up to 104 schools potentially affected.
"Most of the victims, I believe, are targets of opportunity," says Hinkley. An attacker may have known and contacted a student, for example, or found a vulnerability on the school's network. It's still unknown how many of these intruders planted ransomware in targets' environments.
Crowder College of Neosho, Missouri, reported a ransomware attack on September 11. Investigators found evidence indicating the attacker had been inside the school's systems since November 2018.
While it has not been confirmed how Crowder's intruder gained access, Hinkley suggests they could have purchased both the malware and/or the unauthorized access on the black market. "It's something we're seeing a lot of," he says.
Researchers who produced Armor's "Black Market Report" found ransomware sold on the Dark Web as a standalone product, as well as ransomware-as-a-service, making it easy for novices to jump into the game. Many sellers of ransomware-as-a-service do the work: They provide the malware and a panel for the customer to enter a ransom message; it then generates a unique wallet address for each victim. The buyer simply has to get it onto their target system of choice.
"It's removing a lot of the technical expertise that was previously required to carry out one of these attacks," Hinkley says. Cybercriminals also sell credentials to Remote Desktop Protocol servers, researchers found, and this is a common vector for multiple ransomware families.
Many of the attacks against districts and individual schools have used Ryuk ransomware, which is also commonly seen in campaigns against municipalities. It's typically proceeded by Emotet and TrickBot Trojans, which lay the foundation for networkwide compromise, TRU reports. Hinkley points out that the ransomware of choice usually depends on the deployment: Some ransomware is meant to be distributed by attackers inside the target infrastructure, he says; some is meant to be executed via social engineering techniques on the part of the end user.
Ransom Is Rising
The security industry has long pushed back against paying ransomware operators, with fear of motivating further attacks. Unfortunately, some schools are left with no other choice. New York's Rockville Center School District recently paid $88,000 following a ransomware campaign.
Demands are getting higher: The attacker who hit Crowder College demanded $1.6 million in ransom; it's not confirmed whether the school plans to pay. Monroe College in New York, which was hit with ransomware in July, received a $2 million ransom demand — the first million-dollar ransom TRU saw for an educational institution before Crowder was attacked later in the year.
Hinkley hypothesizes the rise in ransom demands could be linked to cyber insurance, as the financial risk of an attack is off-loaded onto a third party. While cyber insurance was not created for ransomware, this appears to be one of the more prominent uses for insurance coverage.
Homework for Schools and Districts
The top preparation and recovery step that schools should take is creating multiple backups of their critical data, applications, and application platforms. It's not enough to simply back up the data, Hinkley points out; schools should also be testing their backups to ensure they're ready to go.
"I've also seen organizations that have had robust backup plans but they didn't test them, so the backup didn't restructure," he explains. "Testing those backups is equally as important." Schools should also practice detection and response mechanisms to recover from an incident.
On top of that, Hinkley advises strong vulnerability management: Understand the assets in your infrastructure and what impact they have on the organization, and manage software updates.
Training is also essential. Software and hardware aside, schools are an easy target because of the people. Hundreds of kids are using machines and likely have a more relaxed approach to cybersecurity because they simply don't know any better. Educating everyone — students, teachers, administrators — is essential for protecting a school from the effects of ransomware.