Over the past few weeks, school districts in Iowa and Massachusetts have been forced to cancel classes after cybersecurity breaches. Federal officials warn that those types of attacks are on the rise, because school districts are attractive targets for online criminals.
School officials are reluctant to talk in any detail about their cybersecurity strategies, for fear of leaving their districts open to an attack. But district leaders in the Fort Worth area say their technology departments work constantly to ensure that school networks, as well as students’ and teachers’ information, are secure.
Cybersecurity experts say the uptick in ransomware attacks against school districts could be an indirect result of the pandemic: When COVID-19 began spreading widely in the United States, districts shut down school buildings and moved classes online. That move allowed schools to keep students engaged at a time when public health experts said it was unsafe to gather in large groups, but it also gave criminals more avenues to access districts’ networks.
“That’s a very good example of how COVID actually changed the landscape, making the school district become a permanent target for their attacks,” said Jingguo Wang, a professor of information systems at the University of Texas at Arlington’s College of Business.
IOWA, MASSACHUSETTS DISTRICS CANCEL SCHOOL DUE TO RANSOMWARE
During a ransomware attack, hackers block an organization’s access to its own network until a ransom has been paid. Often, attackers also steal sensitive documents and threaten to release them online unless the organization pays.
On Jan. 9, officials in the Des Moines school districtannounced classes would be canceled the following day due to a ransomware attack. In a statement, district officials said the incident had disrupted online tools teachers use in class and systems that keep the district running. Classes resumed Thursday.
A few days earlier, district officials in Swansea, Massachusetts, a town 12 miles east of Providence, Rhode Island, canceled school after a ransomware attack. The district superintendent said on Twitter that classes would resume the following day, and that the attack had been “remediated.”
Wang said preventing ransomware attacks is a large and growing challenge for school districts. Since the pandemic, districts have grown more reliant on their IT infrastructures for nearly everything they do, he said. Students have tablet computers that they use to do their homework online. Teachers no longer give paper handouts. Instead, they send assignments through Google Classroom or some other online platform. Districts often use online tools for teacher training, as well, he said.
But in most districts, security hasn’t kept up with the growing reliance on online tools, Wang said. Unlike better-resourced organizations like banks and for-profit companies, school districts generally can’t afford round-the-clock monitoring of their networks, he said, so criminals may see them as easy targets for an attack.
NORTH TEXAS SCHOOLS CONTENT WITH CYBER CRIME
School districts in the Fort Worth area haven’t escaped the threat of cyber crime. In March 2020, Fort Worth ISD fell victim to a ransomware attack. At the time, district officials said IT staff spotted the breach and isolated it quickly enough that the personal information of students and teachers wasn’t compromised. Still, the attack left teachers without the ability to take attendance online or use online teaching tools.
Although the district didn’t pay ransom, the cost of the attack was high: Over the months that followed, the district spent nearly $100,000 on the recovery from the breach. The following September, the district’s school board voted unanimously to pay $242,000 to the Dallas-based cybersecurity firm MaeTech to help strengthen the district’s systems.
The district was also one of many businesses and other organizations nationwide that were affected by a December 2021 ransomware attack on Kronos, a timekeeping service the district uses to track employees’ working hours and manage payroll.
Fort Worth school officials declined an interview request for this story. In an emailed statement, district spokeswoman Claudia Garibay said cybersecurity is a top priority for the district.
“Unfortunately, ransomware attacks are a continuous moving target,” she said. “The district is diligent with its security measures to ensure sustainability and uptime for systems that serve our students.”
In August, officials in the Mansfield Independent School District announced that attackers had hit the district’s network, taking down systems that were connected to the internet, including phones, email and the district’s website. Officials initially described the attack as a ransomware incident, but a statement on the district’s website states that “an unauthorized actor” accessed the district’s network, and may have viewed or stolen sensitive records. The statement makes no mention of a system takeover or a demand for ransom. On Tuesday, a district spokeswoman declined to comment on details of the incident beyond the information provided in the statement.
Other North Texas districts say they’re taking the threat of ransomware seriously. Anthony Tosie, a spokesman for the Northwest Independent School District, said district officials don’t discuss their cybersecurity strategy publicly. In an emailed statement, Tosie said the district’s technology staffers stay up to date on potential cybersecurity threats in order to keep the information of students and employees safe.
“Northwest ISD technology leaders closely watch the state of cybersecurity both in the education sector as well as the private sector to stay abreast of potential issues,” he said. “They communicate with peer groups regarding best practices for attacks against school districts and create plans to prevent or mitigate such actions.”
Bryce Nieman, a spokesman for the Keller Independent School District, said the district’s technology department deals with varying degrees of cybersecurity threats daily. Like other districts, Nieman said Keller ISD doesn’t disclose details about its cybersecurity strategy. But keeping digital resources safe is a top priority for the district’s technology department, he said, and the department works constantly to meet or exceed industry standards. That includes conducting periodic reviews of the district’s security posture and adopting any changes necessary to keep pace with current threats, he said.
HACKERS ARE OFTEN WILLING TO NEGOTIATE RANSOMS DOWN
Just as most school districts don’t have the money to pay for high-level cybersecurity, they also don’t often have enough to cover large ransoms. Kay-Yut Chen, a professor of information systems at the University of Texas at Arlington’s College of Business, said hackers generally know that, and are willing to negotiate down their ransom demands.
While hackers may initially demand ransom payments that are well out of the reach of most districts, their cost of doing business is fairly low, Chen said. That leaves them plenty of flexibility to find a price point that districts are able to pay, he said. Although school officials are generally reluctant to spend public money on ransom payments, they often find themselves caught between two unattractive options: paying to have their systems restored, or refusing to pay ransom and paying more to recover from the attack, he said.
Although negotiating a lower ransom payment can be a more appealing option, it, too, comes with its problems: by paying any amount to have their systems restored, districts create incentives for hackers to continue attacking educational institutions, Chen said.
Chen and Wang published a study last year looking at what leads businesses to decide to pay ransom or not. They found that normative appeals — social messages saying that businesses shouldn’t pay hackers — could help nudge business leaders to invest in cybersecurity and refuse ransom demands.
That’s important, Chen said, because if policymakers could convince business leaders and other organizations not to pay ransom, then hackers would have no incentive to continue ransomware attacks.
“If nobody ever paid ransom, then ransomware would go away,” Chen said. “Now, it doesn’t mean that they won’t do other bad things, like steal your data and so on, but at least ransomware would go away.”
LOS ANGELES SCHOOL DISTRICT REFUSED TO PAY RANSOM
The highest-profile recent cybersecurity breach came last September, when the Los Angeles Unified School District announced it had been the target of a massive ransomware attack. Days later, the Russian-speaking ransomware gang Vice Society claimed credit for the attack, telling the tech website BleepingComputer they’d stolen 500 gigabytes’ worth of data from the district’s systems before encrypting them. The group threatened to release those records online unless the district paid an unknown amount in ransom. With the deadline to pay approaching, Los Angeles school officials released a statement saying the district refused to pay.
“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate,” the statement said.
On Oct. 2, Los Angeles Superintendent Alberto Carvalho announced on Twitter that the group had leaked the stolen data online. The Los Angeles Times reported those records appeared to include Social Security numbers and employee tax documents.
Following the Los Angeles Unified attack, the federal Cybersecurity and Infrastructure Security Agency and the FBI released a joint advisory warning of an uptick in cyber crime targeting the education sector, especially public school districts. Vice Society, in particular, launched a disproportionate number of attacks against the educational institutions, according to the advisory. Districts experienced a range of impacts from those attacks, including lack of access to records and networks, delayed exams, canceled classes and theft of personal information about students and staff.
The advisory noted that school districts are attractive targets for cyber criminals because of the wealth of sensitive student data they keep. Districts with limited cybersecurity capabilities and resources are the most vulnerable, according to the advisory, but even larger districts with more robust defenses can fall victim to such attacks.
Since then, cyber attacks against education institutions have continued. In December, Vice Society claimed it leaked data it stole in a November attack against Xavier University of Louisiana after the university refused to pay ransom, according to the New Orleans Times-Picayune. In the same month, attackers hit the network of Knox College, a small liberal arts school in Illinois. During that attack, hackers emailed students at the college directly, warning them that their Social Security numbers, medical records and other information would be put up for sale, the Galesburg Register-Mail reported.
'THEY'RE NOT GOOD GUYS'
That strategy — directly contacting the people whose data the hackers have stolen — is called multi-extortion, said Ryan Olson, the vice president of threat intelligence for the security firm Palo Alto Networks. It isn’t a common tactic, Olson said, but it’s one that hacker groups sometimes try if their target is unwilling to pay. It puts more pressure on the institutions by adding chaos to the situation, he said: Not only do they have to deal with their networks being taken offline, they also have to field hundreds or even thousands of inquiries from worried students and parents.
The main thing that schools and other organizations can do to avoid falling victim to a ransomware attack is to make sure that all of their systems that are exposed to the internet are as protected as possible, Olson said. That means installing patches to cover any vulnerabilities as soon as they emerge, he said. When those vulnerabilities emerge and are publicized, hackers can scan the entire internet and quickly gain a foothold in as many systems as they want, he said.
“They will be exploited by all types of threat actors, but definitely ransomware actors, within minutes or hours,” he said. “And if you are not on top of patching those, you are low-hanging fruit.”
Besides defending their systems, Olson said districts should also plan for how to handle a scenario where the networks are taken over. In that situation, there will be dozens of questions that district officials need to figure out the answers to, including whether they’ll pay ransom, and if so, how they would do it. Running a tabletop exercise that includes district IT staff, executives and legal advisors can help the district figure out the answers to those questions in advance, he said.
When a school district or other organization is attacked, they’re generally better off seeking help from a security firm to handle the negotiation, Olson said. His firm has handled thousands of ransomware cases, he said, and its negotiators know the right questions to ask. They also know how to spot when attackers are exaggerating about the importance of what they’ve stolen — “sometimes, they’ll lie. They’re not good guys,” he said.
After the fact, it’s important that districts close any vulnerabilities that let the attackers into the networks in the first place, he said. Often, that also means contracting with an outside firm with more expertise than the district’s IT department has, he said. It’s important that they do it thoroughly and quickly, he said, or they could find themselves in the same position a year or even a month later.
“There’s no reason that another ransomware actor couldn’t just walk in the same door,” he said. “So you’ve got to close those holes that allowed them to get into the network.”
©2023 Fort Worth Star-Telegram. Distributed by Tribune Content Agency, LLC.