The ‘real consequences’ of ransomware against schools
The public school system in Yazoo County, Mississippi, last week revealed that it paid a company $300,000 to help recover data that had been encrypted and stolen in a ransomware incident. In other words, the school district became the latest ransomware victim to pay its attacker’s demands.
But as threat intelligence analyst Allan Liska of the security firm Recorded Future pointed out Tuesday, that $300,000 payment represents about 1.5% of the Yazoo County schools’ entire $19.5 million annual budget.
“And that’s a budget that’s going down next year because of declining revenue due to the coronavirus pandemic,” Liska said while hosting an online panel about an ongoing spate of ransomware attacks against K-12 organizations.
According to StateScoop’s Ransomware Attacks Map, there have been 131 incidents involving school districts across the United States since 2016, counting Yazoo County, though those are only the attacks that have been publicly disclosed; Liska and the panelists who joined him believe the true number to be much higher. And the slew of attacks has made ransomware a persistent threat to interrupt the education system, they said.
“Messing with kids has real consequences for our society,” said Harlan Greer, a cybersecurity and counterterrorism adviser to Sen. Maggie Hassan, D-N.H.
Many ransomware attacks against school districts have compromised personnel and financial data. But some incidents have interrupted the learning process: Schools in Hartford, Connecticut, last month delayed the start of their academic year — both for both online and in-person instruction — after a ransomware infection.
“It’s sort of a morbid joke that instead of a snow day, schools now have cyber days,” Liska said.
The shifting nature of ransomware tactics — from simply locking up files and demanding a payment for an encryption key to threatening to publish stolen data on the open internet — may also be leading more education-sector victims to pay up, said Charles Carmakal, the chief technology officer at Mandiant, the incident response arm of the cybersecurity firm FireEye.
“The whole dynamic of threat actors stealing data, it’s fundamentally changed how they extort organizations,” he said. “Sometimes [schools] feel compelled today because they don’t want the information of their students or teachers to get publicized.”
The school system in Athens, Texas, paid a $50,000 bounty in July to keep its data from being leaked online, and several colleges and universities have succumbed to ransom demands this year, too, including the University of Utah and University of California, San Francisco.
Ransomware attacks against school districts begin similarly to those against other sectors, often with a phishing link or exploiting an unpatched vulnerability in a remote-access protocol. And just as government officials and industry experts have said that the explosion of remote work during the COVID-19 pandemic has given threat actors a much greater attack surface, the effect has been similar for school districts that are operating entirely online.
“There are new nuances we had to dip our foot into immediately so students have the technology at home they needed, but make sure we had the security perimeters to protect them,” said Quintana Patterson, a senior information security analyst for the public schools in Jefferson County, Colorado. “We have to secure those devices and allow them to access the resources they need.”
But the profile of users in a K-12 learning environment is a bit different than that of those on a government-agency network. Most are kids unfamiliar with the importance of strong passwords and access management.
“For the kindergartners it’s a new experience. For the middle and high schoolers we have to do some re-education,” Patterson said.
Carmakal, of Mandiant, put it more bluntly: “I’m not going to tell you what my son’s password is, but he’s five-and-a-half years old.”