Remote Learning Heightens Ransomware Threats
After a spring semester marked by massive change in response to the COVID-19 pandemic, things were looking up a bit for some schools in the U.S. state of California. Classes at Newhall School District resumed—albeit online—for the fall 2020 semester, and roughly 6,000 elementary students were actively engaged with their teachers at 10 different schools.
The district had used the summer to roll out new technology to help students connect with their teachers and complete their schoolwork, including deploying more than 4,500 student devices and 1,000 wireless hotspots.
Then, disaster struck. A ransomware attack hit the district in September and disabled its server and email services, affecting all online learning. District officials notified parents and requested everyone stay off the district-provided devices until the ransomware was removed from the network and systems were restored.
“We are reaching out to let you know that the District has been subjected to a ransomware attack over the weekend and our network is currently shutdown,” the district said in a post to its Instagram account. “Today will be a non-instructional day for all students.”
This process took eight days, said Superintendent Jeff Pelzel in an IBM panel discussion on ransomware. People may think there are some “glaring things we did wrong in this process,” Pelzel explained, “but you learn a lot about your infrastructure and how to clean this up when it does happen.”
Those insights are incredibly valuable to U.S. school districts as the possibility of remote learning continues in the midst of the coronavirus pandemic. And even after the pandemic is over, the infrastructure that allows ransomware to move through a school district’s network will still exist and be susceptible to threats.
“Ransomware attacks on schools have become the new snow day for students,” said Christopher Scott, director of security innovation, Office of the CISO, IBM, in a statement. “Stay-at-home orders, and the switch to remote learning, have changed the focus for cybercriminals looking for easy targets as everyone from kindergartners to college professors have adopted remote technologies. And with budgets focused on new ways of learning, many schools are in need of additional resources and technology to change the dynamic and lower the financial ROI for the bad guys targeting them.”
In 2020, more than 1,600 schools in the United States were targeted by ransomware. Nearly 60 percent of these incidents involved K-12 schools, and the FBI has noted an increase in attacks on districts in fall 2020 when the academic year began.
In a joint cybersecurity advisory issued in December 2020, the Bureau, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) assessed that cyber actors were targeting K-12 educational institutions, leading to ransomware attacks, thefts of data, and disruptions of distance learning services.
“In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning,” according to the advisory. “Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.”
This was the case in August 2020, when criminals launched a ransomware attack on the Clark County School District in Las Vegas, Nevada. Not only did they encrypt students’ personal information—grades, Social Security numbers, and other information—the malicious actors also demanded payment to prevent the data from being released online.
“The information had previously been hacked and stolen, and when the school district refused to pay a ransom, the hackers published the information,” according to the National Law Review.
Educational institutions have become lucrative targets for ransomware attacks, largely because schools collect valuable types of sensitive data, traditionally lack resources to address network security, and were operating remotely for much of the 2020-2021 academic year.
The advisory found that cyber actors likely view schools as “targets of opportunity” that will be susceptible to attack through the 2020-2021 academic year. But paying the ransom could also fuel further criminal activity and victimization, said Herbert Stapleton, section chief of the FBI’s Cyber Division, in the IBM panel discussion.
“What are the hackers looking to gain? It’s a simple one-word answer: money,” Stapleton said. Criminals that engage in ransomware attacks are financially motivated and will look for victims who are likely to pay out so they can make money and also invest in creating better ransomware.
Educators and administrators are feeling the pressure. In a Morning Consult survey sponsored by IBM, 58 percent of educators and administrators said they feel responsible to prevent cyberattacks against their institutions. This was despite 59 percent of respondents saying “they aren’t sure or haven’t received new cybersecurity initiatives or training for remote learning,” even though 78 percent of educators were utilizing some type of online learning tools when surveyed in October 2020.
Additionally, more than half of the educators surveyed said they had not received basic cybersecurity training, and 54 percent of educators and administrators said budget is a “large or medium barrier in strengthening their institution’s cybersecurity posture.”
This can make preventing ransomware attacks even more challenging for education institutions, which threat actors have come to see as “targets of opportunity,” according to the joint cybersecurity advisory.
“These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments,” according to the advisory.
Stapleton said that just as districts reassessed their physical security in the 1990s and 2000s after the Columbine shooting, they need to reassess their cybersecurity posture to protect their infrastructure and students.
“If the decision involves a connection to the Internet, cybersecurity has to be baked into that,” Stapleton said, while adding that districts need to be realistic about the threats they face. “If the most likely way you’re going to get attacked is through a remote connection via an end point at a teacher’s home or through a phishing email, don’t worry about protecting against some sophisticated risk.”
In the event that a district is hit by a ransomware attack, it might need to reach out to community partners to help mitigate the effects and restore its systems. This was the case in the U.S. state of Louisiana, said state CISO Dustin Glover, when officials learned that a school district had been hit with ransomware during the last week of June 2020.
Louisiana officials began to investigate the incident and communicate with other districts in the state, only to learn that two others had also been hit with ransomware. That was soon followed by another, impacting 40,000 computers total in 40 different physical buildings.
“We were running out of resources to recover,” Glover explained. “We really had to make sure we were using our resources correctly, standardizing the restoration process, and expanding our assistance scope.”
Ultimately, achieving that goal involved asking the community for volunteers to help with the restoration process. The Louisiana National Guard, state employees, IBM employees, and others answered the call to help, and all of Louisiana school districts’ networks were operational by the time the fall 2020 semester began, Glover said.
The incident also made Louisiana rethink the way it attempts to prevent ransomware attacks and how it prepares to respond to an incident. Each school district was provided with guidance and went through an evaluation process to assess its network. That analysis led to the discovery that seven other school districts were impacted by malware that could potentially make them victims of ransomware.
“We were able to stop that in its tracks,” Glover said.
To help districts prevent ransomware attacks, the joint cybersecurity advisory provided a series of recommendations and best practices—including maintaining business continuity plans and practicing executing essential functions through emergencies to minimize interruptions.
“Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations,” it said. “Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies.”
When it comes to ransomware attacks, the advisory recommended districts regularly back up their data, air gap the backup, and password protect the backup copies. Districts should also implement recovery plans to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location, the advisory said.
To help provide the financial resources for districts to take some of these actions, IBM launched a $3 million grant program. Districts could apply to the grant program for the chance to receive one of six $500,000 grants and work hours by IBM’s Service Corps team to take steps to improve the district’s cybersecurity posture. As of Security Management’s press time, recipients of the grant had not been chosen.