Ransomware has struck in the education sector. Buffalo City Schools closed their doors last week, but not because of COVID-19 or a pending winter snow storm even though a spare “snow day” was used for one day of missed classes. No, the real culprit for the closing was ransomware. Ironically, many students were supposed to return to class as part of a phased reopening plan but school leadership was forced to postpone these efforts a full week. The attack was detected on March 12, at which point all virtual classes were cancelled, as the school’s IT leadership made the decision to disconnect the school system from the internet as a precaution. After diligently working for four days straight, the internal IT department with the help of an outside cybersecurity company was able to restore virtual learning without too much interruption. The FBI was also brought in to assist in the investigation. Although there were no reports of a ransom, the FBI stated that a demand of over $100,000 would have been expected. The real fear is that the attackers made off with the personal data of students and staff, however, it has been undetermined whether data was compromised as of yet. While most of the school’s digital infrastructure has been restored, there are still certain functions such as bus routing and HVAC that remain unstable.
Buffalo City Schools were not the only New York school system to be brought down by ransomware this year. The Victor Central Schools District experienced a similar attack back in late January. The attack was discovered on a Saturday when the telephones went down along with many internal IT services. The school system was using a hybrid learning model at the time in which students are rotated between virtual and in-classroom learning throughout the week. While virtual classes were affected for the following Monday, on-prem learning was cancelled for the full week. Although the school system did receive a ransom note, school leadership chose to ignore it and took on the task of cleaning and rebuilding their internal servers. The FBI was also brought in and it was determined that no personal data was stolen by the attackers.
While it is not yet known how the two stated ransomware attacks were carried out, the FBI issued an alert this week to education sector organizations in the US and UK concerning a dramatic uptick in multi-state extortion attacks using the Pysa ransomware variant. These attacks are multipronged in that they first extort the targeted victim for encrypting data. They also steal personal and sensitive data to use as leverage should the victim fail to pay the initial ransom. Pysa ransomware either uses phishing emails or takes advantage of exposed RDP endpoints by using compromised credentials. In many cases, the attackers attempt to disable anti-virus capabilities across the victim’s network before deploying the ransomware.
The FBI reports that cybercriminals are targeting with schools that heavily use Windows machines. Many schools have implemented virtual learning programs that incorporate Windows laptops. An example this was experienced by Huntsville, Alabama City Schools in December. Laptops were collected from both teachers and students as part of the cleanup project, which greatly disrupted learning efforts. Parents and school system employees were also informed that their data such as social security numbers may have been compromised during the attack.
The surge of attacks on K12 organizations is not a coincidence. Cybercriminals are extremely opportunistic and recognize the opportunity that K12 schools present. In the past 12 months, school systems have asked employees and students to operate from home, while offering little to no additional training on cyber hygiene. K12 IT workers have been swamped managing and supporting the swift migration to virtual learning operations. Small rural districts also don’t have the budgets to purchase modern security tools.
There is no doubt that our K12 institutions are threatened by these malicious parties. Contact us at TitanHQ about how we can help ensure that learning remains a safe practice regardless of where it takes place. Contact us today.
Sign-up for email updates...