NetworkTigers discusses the increase in ransomware attacks on schools.
Emsisoft’s The State of Ransomware in the US: Report and Statistics 2022 shows that ransomware attacks on K-12 schools rose from 1,043 in 2021 to 1,981 in 2022, nearly doubling year over year.
2023 is thus far proving to continue this trend and school districts all over the country have been grappling with cyberattacks:
- Des Moines Public Schools of Iowa was attacked in early January, causing a two-day closure.
- Swansea Public Schools in Massachusetts was forced to shut down for a day after a ransomware attack. The school’s IT department, working with an outside cybersecurity company, isolated the incident and classes resumed the following day quickly.
- Tucson Unified School District, southern Arizona’s most extensive public school system, fell victim to an attack in late January. Faculty discovered a letter in the school’s printers that purported to be from the Royal ransomware gang and stated that the institution’s data had been stolen and encrypted.
- Nantucket Public Schools, also of Massachusetts, suffered an attack around the same time. Classes were abruptly canceled and parents were urged not to power on any school-issued devices to prevent further compromise.
- Minneapolis Public Schools in Minnesota was targeted by the Medusa ransomware gang in late February and faced community backlash for initially downplaying the event as a “technical difficulty.”
Why are ransomware attacks on schools on the rise?
Data shows that ransomware attacks across many other organizations are declining. However, Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future, notes that attacks on schools have been trending in the opposite direction.
“As far as publicly reported attacks go, for everything that we track, school systems were the only sector that was actually up in 2022,” said Liska.
It’s surprising to note that schools have not been giving in to threat actors’ demands.
According to Recorded Future, of the attacks recorded in 2022 only three districts, Iowa’s Cedar Rapids Community School District, California’s Glenn County Office of Education and Arkansas’ Little Rock School District, forked over a ransom.
With schools being some of the least likely targets to pay up, cybercriminals continue to pummel them for the following reasons:
Schools are full of valuable data
Schools keep a tremendous amount of student and faculty information on file. While the ransom itself may appear to be the priority for hackers looking to cash in, when it comes to schools, it’s sometimes just the cherry on top, as the personally identifying data exfiltrated in the process carries a value on the dark web where it can be sold.
Ransomware attacks on schools are easy
Public schools are notoriously conservative with taxpayer money and most expenses need to be approved through various means in what can be a lengthy process. Cybersecurity tends not to be a priority when it comes time for budget approval, meaning that most school IT departments are underfunded, understaffed and unprepared for a cyberattack. The Center for Internet Security reports that one out of every five K-12 schools allocates less than 1% of their already meager IT budget to cybersecurity.
Other organizations have fortified against easy attack
Another factor contributing to schools being increasingly targeted by hackers is that many other institutions have bolstered their security in response to the recent exponential rise in cybercrime. While still vulnerable in some cases, banking institutions, hospitals and large corporations aren’t worth the risk and effort for most threat actors. Schools, it would seem, are something of a last resort.
Ransomware attackers are turning up the heat
Ransomware attackers have previously had to walk a line with their victims in which they have the upper hand but don’t want to come across as so sadistic that they can’t be trusted to deliver after a payment has been made. However, targeted organizations have become wise to the fact that paying off criminals doesn’t always mean they’ll get their data back. As a result, the victim pool is thinning and threat actors are becoming noticeably more aggressive.
For example, a healthcare practice in Lackawanna County, Pennsylvania resisted the BlackCat ransomware gang’s demands and saw sensitive patient data and photographs of individuals receiving cancer treatment published on the outfit’s website.
Schools populated by young people are full of opportunities for hackers to exploit parental concerns.
Threat actors use kids’ data as an extortion tool
Ransomware attackers have been observed taking advantage of the fact that information related to minors’ physical or mental health issues can be pulled from school databases and used as leverage against the institution.
In the case of a school in Texas that was breached, parents received emails directly from the threat actors responsible that encouraged them to insist that the district pay up or face the consequence of their children’s personal information being published.
The attack against Minneapolis Public Schools experienced a similar scenario in which the Medusa ransomware gang demanded $1 million in exchange for the data they stole. The criminals drove their point home by releasing a video in which they threatened to reveal sensitive documents about sexual violence accusations, sex offender notifications and instances of student maltreatment.
As of this writing, Minneapolis Public Schools has reportedly not given in to Medusa’s demands. Medusa, however, has made good on its threat and has begun releasing data to the dark web.
How can ransomware attacks on schools be prevented?
In one manner of looking at it, hackers moving to school districts signal a shift in which ransomware attacks are proving to be less effective. The additional desperation attackers are showing in their tactics, disturbing as it may be, could be one of the first telltale signs that this particular brand of criminal enterprise may not be as attractive as it was a year or two ago.
However, attackers won’t relent until all opportunity has evaporated and the move to the young and the ill feels more insidious than previous attacks launched against faceless corporations with the insurance and capital to power through the inconvenience.
Public schools must allocate funds to IT departments to insulate student data from prying eyes. Parents must demand more focus on cybersecurity and collectively make their feelings known.
With threat actors circling the country’s most vulnerable population without shame and social media connectivity allowing potentially life-altering personal information to be shared amongst peers, communities must come together to protect young people from criminal activity in places that should be some of the safest they’ll experience.