Teachers in Baltimore County Public Schools knew something was wrong late in the day on Nov. 24 when they began to experience trouble entering grades into the school district’s computer system. Around the same time, the video for a meeting of the district’s school board abruptly cut off.
Both situations were the result of a cyberattack that had hit all of the school district’s computer networks, disrupting online classes for 115,000 students.
The episode was by no means isolated.
Rather, it was just one of several in an uptick of ransomware attacks in which cybercriminals have targeted public schools throughout the United States – from Hartford, Connecticut, to Huntsville, Alabama – since the 2020-21 school year began.
Federal cybersecurity officials say the attacks – which involve things that range from the theft of sensitive student data to the disruption of online classes – are expected to continue.
As a researcher who specializes in cybercrime and cybersecurity, I know that public schools represent easy and attractive targets for cybercriminals.
Attacks have doubled
This vulnerability is in part due to the fact that most schools spend very little on cybersecurity, despite the fact that they need to perform a large amount of file sharing on their networks. They also may be likely to comply with cyberextortionists’ demands because taxpayers and parents expect them to restore networks quickly.
Cyberattacks may not be completely avoidable, but there are steps school system leaders can take to reduce the likelihood that the attacks occur or that sensitive student data is stolen and leaked onto the dark web, as was the case in Fairfax County, Virginia, in October. But first, let’s take a look at the scale and scope of the problem and how dramatically ransomware attacks increased between spring and fall of 2020, both in the United States and globally.
From March until mid-November, cybercriminals attacked U.S. school districts educating over 700,000 students. In the U.S., public K-12 schools represented about 28% of all reported ransomware incidents from January to July. That figure more than doubled, to 57%, for August and September, when K-12 schools began the fall semester.
In Europe from July through August, the number of weekly cyberattacks against the education sector increased by 24%, compared with 9% for all sectors. During that same period, weekly cyberattacks targeting the education sector in Asia increased by 21%, compared with 3.5% against all industries.
Compared with most organizations and workplaces, public schools are less prepared to defend themselves against cyberattacks.
For instance, in Baltimore County, a state government report indicated that the school system’s network lacked adequate security and had failed to properly safeguard sensitive personal information.
Typically, public schools have small IT teams. Some have technology leaders with no formal training in technology.
Public schools also lack proper data backup and recovery systems and procedures.
Given the large number of users, school networks have many vulnerable points of entry and face higher risks of malware infection and transmission. Students might also use devices with outdated software, and their home networks might be insecure. If one student’s device is attacked, that may be used as an entry point to attack the entire school network.
For instance, the criminals may send malicious email attachments to other users of the network using the student’s credential. Most K-12 students lack cybersecurity training, which includes how to spot malicious links or infectious attachments.
Public schools are under pressure to ensure that students have access to online learning opportunities during the COVID-19 pandemic. The pressure to quickly restore networks is especially acute after the school year starts. Cybercriminals are taking advantage of this situation
After penetrating a school network, the perpetrators seek to gain privileged access and identify critical systems. They then gather large numbers of account credentials, such as usernames, passwords and other items used to validate identity for authentication. They may also steal other sensitive data, try to destroy backups and disable security processes.
According to the antivirus company Emsisoft, after ransomware perpetrators compromise a network, they stay in the network for an average of 56 days before they deploy ransomware.
Ransomware attacks against K-12 schools dramatically increased when the 2020 school year started. The number of universities, colleges and school districts facing ransomware attacks increased from eight during the second quarter of 2020 to 31 during the third quarter.
Sensitive personal data is also involved in such attacks. In nine of the 31 ransomware incidents victimizing U.S. schools in the third quarter of 2020, the perpetrators had stolen personal data. The five most active ransomware groups targeting K-12 schools – Ryuk, Maze, Nefilim, AKO and Sodinokibi/REvil – run leak sites to “dump” personal data if victim schools refuse to pay.
In September, ransomware gang Maze attacked Ohio’s Toledo Public Schools and published personal data of faculty, staff and students online. Personal data posted on the dark web included students’ and employees’ Social Security numbers and dates of birth. The criminals also disclosed information related to students’ exam grades, disciplinary action and disability status. The identities of an eighth grader whom the school had listed as emotionally disturbed and a ninth grader suspended for sexual activity were revealed. A list of foster children was also published.
Children’s data are highly valuable
Among the most serious concerns in ransomware attacks against schools is that leaked children’s data is likely to be sold in the dark web. Even before ransomware attacks started, children were 51 times more likely to be targeted for identity theft than adults.
Some identity thieves specifically target children because the children may not find out that they were victimized until decades later after applying for credit.
The unique value of children’s Social Security numbers also stems from the fact that they lack a credit history and can be combined with any name and birth date.
What can schools do?
School leaders should develop clear guidelines and policies to strengthen cybersecurity. Regular updates about phishing and other threats, as well as strategies and instructions to mitigate and manage such threats, must be provided to students and staff.
Schools can also use free services to enhance cyberdefense. Of the 13,000 school districts in the U.S., only 2,000 are taking advantage of free membership in the Multi-State Information Sharing & Analysis Center. The center offers network vulnerability assessments, cyberthreat alerts and other services, such as Malicious Domain Blocking and Reporting, which prevents computer systems from connecting to malicious websites. Only about 120 schools use the blocking service.
Many school districts rely on outdated equipment and software, which are easy to hack. It is important to patch operating systems and software when manufacturers release new updates. It also helps to constantly back up important data. By frequently backing up data and keeping it secure, schools can ensure the access to networks without disruption.
Schools may also want to purchase cyberinsurance to defend against ransomware and other cyberthreats. Insurance not only helps pay ransom, but it also helps to defend against attacks, because schools need to strengthen their security to get a lower premium. When online education company K12 Inc., which creates online learning curricula for over 1 million students, faced ransomware attacks in November, the company worked with its cyberinsurer to make the ransom payment.
[Deep knowledge, daily. Sign up for The Conversation’s newsletter.]
This article is republished from The Conversation, a nonprofit news site dedicated to sharing ideas from academic experts. It was written by: Nir Kshetri, University of North Carolina – Greensboro.
Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.