More than half of all ransomware attacks against state and local government entities reported over the past few months have targeted K-12 school systems, the Cybersecurity and Infrastructure Security Agency said Thursday in an alert released in conjunction with the Multi-State Information Sharing and Analysis Center.
According to the advisory, 57% of ransomware incidents reported to the MS-ISAC in August and September — when new academic years began — affected school districts, compared to 28% in the first seven months of the year. And ransomware events against schools have continued to tick up since September, including an attack last month against the K-12 district in Baltimore County, Maryland, that caused classes to be canceled for several days around the Thanksgiving holiday.
“Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year,” the alert reads.
The CISA document arrives one week after members of the Senate Homeland Security and Government Affairs Committee asked the agency’s acting director, Brandon Wales, to do more to protect the education sector from ransomware, which over the past few months has also hit schools in Hartford, Connecticut; Fairfax County, Virginia; Clark County, Nevada; and Toledo, Ohio. Some of the incidents, including the one in Fairfax County, resulted in student and teacher information being published online by the attackers.
Wales said during the Dec. 2 hearing that CISA had expanded the resources it offers to education institutions, particularly guidance about securing remote learning environments, but admitted there’s more it can provide.
“We need to arm [schools] with the same resources, same information that are offered at no cost to states,” he said.
Along with ransomware, the new CISA alert also warns that K-12 organizations face a slew of other threats, including malware that uses command-and-control attacks to steal sensitive data about students and teachers, distributed denial of service attacks that overwhelm networks and disruptions of video conferencing by pornography, violent images or targeted harassment of students and teachers.
A Miami high schooler, for instance, was charged in September for orchestrating a wave of DDoS incidents that disrupted the first week of classes, which were conducted mostly online. And many schools’ remote lessons have been interrupted by outside malicious actors — a phenomenon known as “Zoombombing” — who either steal credentials from students and teachers or access classes when video-conference links are made available publicly.
“Video conference sessions without proper control measures risk disruption or compromise of classroom conversations and exposure of sensitive information,” the alert reads.
It also goes on to say that students, teachers, faculty and other personnel are appetizing targets for phishing attempts and other schemes designed to steal personally identifiable information and network credentials that could be used in subsequent attacks. “Typosquatting,” in which actors register web domains designed to look similar to legitimate sites, is also a risk. (CISA issued similar warnings this year regarding election-related websites.)
The alert makes several suggestions that education officials can take to secure their remote-learning environments. In addition to the usual prescription of regularly backing up network storage and installing security patches and operating system updates, school districts are advised to enroll in a DDoS-mitigation service, offer cyber-hygiene training to students and employees alike and ensure remote learning sessions are password-protected.
It also recommends that school districts’ IT administrators review how they are configuring software that uses Remote Desktop Protocol, the Microsoft service that remains a frequent avenue of ransomware attacks.