According to Emsisoft, 58 schools and school districts have publicly reported ransomware attacks in 2021, but we know this is only a fraction of the actual figure. Public officials and industry experts acknowledge that the rise in attacks is a national crisis, yet most schools are still not required to report ransomware — why?
Earlier this year the ransomware research team at Recorded Future, where I work as an intelligence analyst, submitted Freedom of Information Act requests to the education departments in all 50 states and the District of Columbia, looking to see if they had information about ransomware attacks against schools in their states occurring between Jan. 1 and July 31 of 2021. Almost none of them did. The specific request we filed was:
“A list of all schools or school districts in [State Name] that have been victims of ransomware attacks in 2021 through July 31st. If possible, I’d like the school/district name, date of attack and the ransomware strain involved.”
Most departments responded with “No Responsive Documents.” Generally, these responses came with notes similar to the one received from New Mexico’s Public Education Department: “According to Richard Trujillo, NMPED’s Deputy CIO of the Information Technology Department, the NMPED does not collect this information from the New Mexico public school districts or charter schools.”
Several states suggested contacting the individual school districts to see if they had information.
But we found the same situation across most states: There is no requirement for schools to report ransomware attacks to the state education departments, or anywhere else.
Even in states where reporting is required, there are often loopholes. For example, the Missouri Department of Elementary and Secondary Education wrote in part: “Pursuant to § 162.1475, RSMo, districts are required to report breaches of electronically stored student data to DESE. In reviewing the information reported to DESE under this statute for the time period you specified, we did not find any districts reported ransomware attacks.”
DESE had “No Responsive Documents,” but public reporting shows there have been ransomware attacks against Missouri schools in 2021 — in Affton School District, Park Hill School District and Rockwood School District. Local news outlets reported: “Affton School District said they do not believe any sensitive information, personal data, financial information, or grades have been compromised.” And in the Park Hill incident, a local outlet reported: “District officials said there is no evidence of data being taken in the attack.”
That meant that neither district had to report the ransomware attack to the state’s education department. Yet we know that stolen data from both attacks appeared on ransomware extortion sites.
In other cases, there may be reporting requirements, but the education department will not share this information. For example, the New York State Education Department responded to our request with: “However, while we recognize that some information about ransomware attacks in public schools have been publicly reported by others, SED cannot disclose the information requested as doing so could compromise the security of the school district’s technology assets.”
Trying to hide the number of ransomware attacks against schools in a state doesn’t change the fact that school systems around the world are under assault by ransomware groups. Everyone acknowledges that ransomware attacks against schools are on the rise and a crisis that needs to be addressed. The graphic below, from The Record, shows the rapid rise of ransomware attacks against schools.
Even though no one has a complete picture, the trends from the attacks we know about are very clear and worrisome, especially with the rise of secondary extortion in which ransomware groups publish sensitive data. Unfortunately, this has already happened to students from Fairfax County in Virginia, Clark County in Nevada and others.
Most experts agree that reporting requirements help keep everyone more secure. Reporting ransomware attacks helps officials communicate important information about trends in ransomware attacks such as increases or declines, ransomware families and tools used and initial vector access.
As new school years begin around the country, everyone expects ransomware attacks against schools to increase, as they have done in the fall for the last three years. It is time that states implement effective reporting requirements to ensure everyone understands the nature of the threat and schools can better prepare to defend themselves.