5 Quick Tips to Protect Your School District from Ransomware Now
Cybercriminals Target Schools with Ransomware – But They Can Prevent It with These Tips
Carley Kimball, Media Specialist
6 Min Read
School districts have become a major target for cybercriminals when students and faculty moved into digital learning environments during the COVID-19 Pandemic. While the pandemic may be winding down, schools still need to ensure their digital environment is secure.
Ransomware attacks targeting school districts are on the rise nationwide, according to K-12 Security Exchange’s (K12 SIX) 2022 State of K-12 Cybersecurity Annual Report. In 2021, K12 SIX documented 62 instances of U.S. public K-12 school districts across 24 states being victimized by ransomware, a highly disruptive cyber-attack tactic employed by online criminals to extort money from victims.
“This is the third straight year that there have been more than 50 publicly disclosed K-12 ransomware attacks and the first year it was the most frequently experienced type of cyber incident cataloged by the K-12 Cyber Incident Map,” the report read. “While the increasing frequency of ransomware attacks should be alarming to K-12 leaders and policymakers, the evolving—and increasingly damaging—tactics of ransomware gangs are primarily what sets 2021 apart from prior years.”
Ransom demands are increasing as well, according to a June 2022 article published in the Insurance Journal.
“In a good situation, it ends up getting negotiated down but claims over a million dollars are absolutely the norm,” said Jessica Blushi, vice president at Keenan & Associates, an Assured Partners’ organization based in California.
Education Grinds to a Halt when Ransomware Attacks
Ransomware continues to surpass other cybercrime incidents, such as Student Data Breaches, Invasion, Denial of Service, etc. When ransomware strikes, schools often need to cancel class, sometimes for days at a time.
In 2020, the Baltimore County School District in Maryland, one of the largest in the country, was hit with a $1.7 million dollar ransomware attack. Highly publicized at the time, the district had to cancel classes for a week, navigate the nuances of notifying concerned parents and the public, and began a grueling process that took nearly a year to recover from. Although the district did not pay the ransom, the recovery process cost a staggering $9.7 million dollars.
In 2021, a Missouri school district was forced to cancel classes for two days as part of their ransomware recovery process which “close[d] down the internet altogether, including the district’s phones, paging systems, and security cameras.”
While school districts are often reluctant to disclose whether they (or an insurance company on their behalf) may have been successfully extorted by ransomware gangs, such public disclosures are not unheard of.
In June 2021, a Texas school district paid cybercriminals $547,045 to “protect sensitive, identifiable information from being published.”
“While these are funds that we would have rather spent on the needs of our employees, students and their families, there was no other choice for the district to ensure your safety – our number one priority,” the district announced.
How Does Ransomware Infiltrate Schools?
Responsibility for ransomware attacks falls on both internal and external actors, according to the K12 SIX Report.
- Staff and administration officials, often lacking the training and guidance necessary to avoid the errant sharing of personal data and credentials, can unknowingly click on a malicious email link or website, opening the flood gates for criminals to take advantage.
- Tech-savvy students, who—in the absence of mentoring and adult guidance—may attempt to circumvent existing cybersecurity controls and/or be lured into parlaying their legitimate access to school IT systems to disrupt, cheat, or even cause harm to others.
- School suppliers and vendors, whose security practices are not considered during school district procurement decisions and product/service implementation
- Online criminals—some based in the U.S., but many based overseas—who seek to profit from weak school district cybersecurity controls by stealing or extorting money from school districts, their employees, and vendors or via credit and tax fraud enabled by stealing personally identifiable information from school districts.
How Can Schools Protect Against Ransomware Attacks?
The Cybersecurity and Infrastructure Security Agency (CISA), a United States federal agency under the Department of Homeland Security, offers numerous resources for school districts to help implement best practices to keep their technology systems secure from bad actors.
CISA recommends the following tips to prevent ransomware attacks in educational settings:
Maintain offline, encrypted backups of data and regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.
Create, maintain, and exercise a basic cyber incident response plan, resiliency plan, and associated communications plan.
- The cyber incident response plan should include response and notification procedures for ransomware incidents. See the CISA and Multi-State Information and Sharing Center (MS-ISAC) Joint Ransomware Guide for more details on creating a cyber incident response plan.
- The resilience plan should address how to operate if you lose access to or control of critical functions. CISA offers non-technical cyber resilience assessments to help organizations evaluate their operational resilience and cybersecurity practices.
Mitigate internet-facing vulnerabilities and misconfigurations to reduce the risk of actors exploiting this attack surface.
- Employ best practices for use of Remote Desktop Protocol (RDP) and other remote desktop services. Threat actors often gain initial access to a network through exposed and poorly secured remote services and later propagate ransomware. Audit the network for systems using RDP, close unused RDP ports, enforce account lockouts after a specified number of attempts, apply multi-factor authentication (MFA), and log RDP login attempts.
- Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices.
- Update software, including operating systems, applications, and firmware, in a timely manner. Prioritize timely patching of critical vulnerabilities and vulnerabilities on internet-facing servers—as well as software processing internet data, such as web browsers, browser plugins, and document readers. If patching quickly is not feasible, implement vendor-provided mitigations.
- Ensure that devices are properly configured, and security features are enabled, e.g., disable ports and protocols that are not being used for a business purpose.
Reduce the risk of phishing emails from reaching end users by:
- Enabling strong spam filters.
- Implementing a cybersecurity user awareness and training program, like those provided by cybersecurity company KnowBe4, that includes guidance on how to identify and report suspicious activity (e.g., phishing) or incidents.
Practice good cyber hygiene by:
- Ensuring antivirus and anti-malware software and signatures are up to date.
- Implementing application allowlisting.
- Ensuring user and privileged accounts are limited through account use policies, user account control, and privileged account management.
- Employing MFA for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.
- Implementing cybersecurity best practices from CISA’s Cyber Essentials and the CISA-MS-ISAC Joint Ransomware Guide.
In addition to the steps provided by CISA, SchoolSafety.gov offers several resources for districts looking to bulk up their cybersecurity.
While the education sector remains the most affected industry when it comes to malware encounters, according to Microsoft Security Intelligence, IT Departments and Managed Service Providers can take steps to lower the risks of their district becoming cybercriminals’ next target.
About Global Data Consultants, LLC
Global Data Consultants (GDC) is a Premier IT Service Provider with the goal of helping businesses proactively manage and protect their information technology. Recognizing that is an industry that is competitive and constantly changing, GDC realized early that the key to growing was to understand the industry and stick to these fundamental business principles — employ the best talent, excel in the delivery of technical services, and focus on customer satisfaction.
With experienced and certified professionals, GDC delivers services in the areas of managed IT service, application development, data center, 24/7 multilingual service desk, desktop lifecycle management, project management, and business process consulting.