Skip to content

Photo by iStock

Ransomware Poses Tough Lesson for School Districts

Students may be returning to classrooms, but school districts are the ones learning some hard lessons as the U.S. academic year starts. Ransomware groups are once again targeting educational institutions in hopes of disrupting classes enough to earn a quick payout.

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA, part of the U.S. Department of Homeland Security), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory on 6 September warning that malicious actors are “disproportionately targeting the education sector with ransomware attacks.”

The advisory continued: “Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff.

“The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks,” the advisory continued. “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.”

The concern was well-founded. During the recent Labor Day holiday weekend, the Los Angeles Unified School District (LAUSD) was affected by a ransomware attack that caused ongoing technical disruptions. LAUSD is the second largest school district in the United States, serving more than 600,000 students across 1,000 schools.

The technical issues did not affect transportation, food, or after-school programs, so instruction went ahead after the holiday, and classes resumed as planned on 6 September. However, ongoing disruptions affected access to email, computer systems, and some applications like Google Drive and Schoology (a K-12 learning management system), Tech Crunch reported.

Password resets were the main challenge that LAUSD students and employees faced on 6 September, according to a press release from the district. Password resets caused a bottleneck early in the day, but the issue improved steadily and wait times decreased to less than six minutes per caller, the district said.

“Over the past 24 plus hours, we have benefited from the extraordinary level of collaboration and cooperation from our partners, but we would also like to highlight the special collaboration and the rapid deployment of resources to our school system by the Federal Bureau of Investigation,” said LAUSD Superintendent Alberto M. Carvalho in the press release. “We have had no fewer than six special agents and staff helping our school system deal with this incident. We are truly grateful for this unwavering commitment to pursue those responsible for these attacks.”

“Today our preliminary student attendance was 83 percent, which does not yet include full reporting from across the District,” Carvalho said. “If Los Angeles Unified had lost its ability to run school buses, over 40,000 students would not have been able to get to school. If our food services or payroll system had been compromised, the implications both in the lives of students and employees would have been significant. We know today was challenging, but the impact of this incident could have been catastrophic if our teams and partners had not responded quickly and decisively, cut off the hacker’s access immediately, and worked expeditiously to restore operational capacity.”

According to a preliminary analysis, LAUSD noted that employee healthcare and payroll were not affected, neither were safety and emergency mechanisms at the schools. It is unclear if any data was stolen in the ransomware attack, and school officials said that they have not received a ransom demand—which is unusual.

The FBI, CISA, and MS-ISAC specifically called out Vice Society as one of the main actors targeting schools. Vice Society is a “discreet but steady double extortion ransomware group” that joined the cybersecurity ecosystem last year, according to a SEKOIA.IO blog. The group encrypts and exfiltrates  victims' data and then threatens to leak the information to pressure them into paying a ransom. More than a quarter of the group’s victims are in the education sector.

So far in 2022, 50 education sector institutions have been hit with ransomware, including 26 universities and 24 school districts, according to TechCrunch.

Labor Day weekend is also a popular time for cyberattacks because attackers know that IT staff will be thin on the ground and any reaction to unusual activity would be delayed, according to reporting from the Whittier Daily News. In 2020, for instance, a ransomware attack over the holiday weekend derailed a school district’s reopening. Schools’ switch to remote learning during the COVID-19 pandemic also heightened their ransomware risk, even after in-person classes resumed.

“Ransomware attacks on schools have become the new snow day for students,” said Christopher Scott, director of security innovation, Office of the CISO, IBM, in a statement in February 2021. “Stay-at-home orders, and the switch to remote learning, have changed the focus for cybercriminals looking for easy targets as everyone from kindergartners to college professors have adopted remote technologies. And with budgets focused on new ways of learning, many schools are in need of additional resources and technology to change the dynamic and lower the financial ROI for the bad guys targeting them.”

CISA offered additional analysis of likely ransomware attack methods, and in the cybersecurity advisory, the agency recommended multiple mitigations to limit “potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise.”

For the full list of recommendations and resources, see the advisory here.