Chart of the Week: Ransomware Attacks on Schools

As students across the country return to class — whether in-person or remote — cybersecurity practitioners are bracing for the return of ransomware attackers.

Haywood County Schools in North Carolina, for example, shut its doors on Monday after reportedly being hit by a ransomware attack. The district’s website was unavailable on Monday, and phone calls made by The Record to the superintendent and other county school officials could not be completed.

References to ransomware attacks on schools spiked last September, according to data collected by Recorded Future from sources including hacker forums, threat feeds, news reports, and code repositories. At least 15 school districts were hit by ransomware attacks during a two week period that month, affecting more than 100 K-12 schools, according to a report from cloud security company Armor Defense Inc.

Although that trend could continue this year, the shift to remote learning might be a blessing in disguise. All of the school school systems that have publicly disclosed that they’ve been hit with ransomware attacks this school season are ones that have brought students back in person, according to Allan Liska, a ransomware specialist at Recorded Future.

“We are definitely in an uncharted territory,” said Liska. “There has been a small uptick in ransomware attacks as schools get back into session, but with so many school systems going remote this semester there is a much smaller attack surface for the ransomware groups to target.”

Schools make an attractive target for ransomware operators because they often lack cybersecurity expertise and other resources to defend against attacks. They also hold large amounts of sensitive data, and may be more willing to pay demands because of pressure from parents to resume operations. The K-12 Cybersecurity Resource Center, which maintains a database of publicly-reported school cybersecurity incidents, said there were nearly three times as many attacks in 2019 than in 2018. The center attributed this increase to a number of factors, including the greater reliance on technology by schools, the disproportionate targeting of local government agencies, and an increased awareness around reporting cybersecurity incidents.