Actors using the Maze ransomware are claiming credit for a recent string of attacks against large public school districts across the United States, just as students and teachers are returning to their mostly virtual learning environments.
Last Friday, the school system in Fairfax County, Virginia, which enrolls nearly 200,000 students, reported that it had been compromised by Maze, which posted a file containing stolen data on a website it uses to extort its victims into paying. While Fairfax County Public Schools officials said the incident has not affected its remote learning services, it occurred days after similar attacks against the public school organizations in Toledo, Ohio, and Clark County, Nevada.
Maze has also claimed credit for those, threatening to publish stolen files if bounties are not paid. Another attack last week in Hartford, Connecticut, credit for which has not been claimed, delayed the start of the new academic year there.
Katie Nickels, the director of intelligence at the information security firm Red Canary, said that while ransomware attacks against K-12 education systems have become frustratingly commonplace, incidents at the start of a new school year defined by pandemic-imposed distance learning and dwindling funding are especially despicable.
“I am so outraged at these ransomware operators,” she said. “Schools are trying to get back in session. Teachers and students are dealing with enough without these challenges.”
Nickels also wrote on Twitter that there is a “special place in hell for ransomware operators who attack hospitals or schools.”
There is a special place in hell for ransomware operators who attack hospitals or schools. Especially in the first week of school. You suck and FYI, we are actively working to make your lives miserable. https://t.co/Oyh36UWdpL
— Katie Nickels (@likethecoins) September 11, 2020
But schools also remain, Nickels said, an “easy target” for ransomware actors, even more so with many districts being forced to adopt universal online education, broadening the potential attack surface. Red Canary, which specializes in endpoint detection and response services, published guidance last month stating that ransomware could take advantage of remote learning as schools’ computers and other devices are installed on teachers’ and students’ home networks, and video-conferencing platforms like Zoom or Microsoft Teams are introduced to new, unfamiliar users.
According to StateScoop’s Ransomware Attacks Map, at least 129 K-12 systems have been targeted since 2013, including Fairfax County, Clark County and Toledo. Nickels said that trend won’t slow any time soon, suggesting that as ransomware actors mature and shift their tactics, it would take a major law-enforcement effort to stop them.
“I’m struggling to think of how we find an end to this,” she said. “Deterrence in cyberspace is such a challenge. There may have to be a major takedown and indictment operation, global law enforcement working together.”
Meanwhile, attacks against schools continue to be among the most reprehensible, she continued.
“There aren’t really international laws or norms about what’s acceptable in cyberspace, but I feel like there should be,” Nickels said.
She also likened the start of the new school year to the first few weeks of the coronavirus pandemic, when there was some chatter on hacker forums that hospitals should be off-limits for ransomware during a global health crisis — pledges that were quickly revealed to be empty as dozens of hospitals and organizations researching COVID-19 vaccines have been hit in 2020.
Now, she said, malicious actors see schools’ scrambling to reopen or remake their classrooms as a juicy target.
“This shows us that adversaries exploit any opportunities they have,” she said. “They’re going to leverage that to make money. It’s so frustrating to continue to see these attacks against schools at this time.”