FBI, CISA Warn K-12 Schools of a Spike in Ransomware, With More Threats on the Horizon

In the past, school closures were instigated by snow dumps, pipe bursts, bomb scares and other incidents that could potentially cause physical harm. In 2020, ransomware can be added to the top of the list.

On Thursday, the FBI and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned that 57% of ransomware attacks reported in August and September to MS-ISAC—a government-funded center that tracks cyberattacks on state, local, and tribal governments—hit K-12 institutions. That’s up from 28% between January and July. The alert suggests that the rapid transition to distance learning in 2020 contributed to cybersecurity gaps, which made schools more vulnerable to attack.

The attacks have hit school systems of all shapes and sizes across the country. Early in the year, Richmond Community Schools in Michigan had to cancel classes after hackers demanded a $10,000 ransom. In July, Athens Independent School District in Texas delayed its opening by a week and agreed to pay hackers $50,000 to unlock its data and systems. In August, hackers infected Clark County School District in Las Vegas with ransomware and leaked student information online. In September, Hartford’s school district in Connecticut postponed its opening for 18,000 students. Also in that month, Newhall School District in California had to shut down online learning after its systems were disrupted by a ransomware attack. Last month, Baltimore County’s public school system had to close around Thanksgiving after falling victim.

That’s just a sample of the attacks that have brought schools to their knees, and the alert issued yesterday suggests that more attacks are on the horizon. The FBI and DHS warned that they expect hackers to exploit remote learning environments through email phishing attacks and domain spoofing, which involves creating a website that looks legitimate but is controlled by the cybercriminal.

“Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year,” the report read.

The alert highlights how hackers see schools as an easy target, and are trying to take advantage of them as they undergo never-before-seen transitions due to the COVID-19 pandemic. The attacks put strain on student learning and parents’ lives at a time when many of them are adjusting to distance learning programs and remote work.

“What compounds these attacks is that, due to the rapid increase in distance learning, any type of cyber incident is leading to more visible disruptions. Compromising a school’s online network is no longer a potentially isolated incident that affects only grading software or administration technology—it directly impacts student learning,” said David Ruiz, an online privacy advocate at Malwarebytes Labs who directed a recent report on cybersecurity and education.

Allan Liska, a ransomware expert at Recorded Future who has analyzed attacks on school systems, said the statistic highlighted in the alert shows that ransomware operators are launching their attacks to maximize damage. “The reason we’ve seen a  big jump in ransomware as a percentage in August and September is that the ransomware actors are getting smarter—they know it will disrupt the start of school and they know it makes it more likely for them to pay,” he said.

In addition to ransomware, the alert highlighted a number of other threats that schools face, including a wide variety of malware—ZeuS, Shlayer, Agent Tesla, CoinMiner, Dridex, Gh0st—that could be used to steal student data and cause disruptions. Social engineering against parents, teachers, and students can also give hackers a foothold into vulnerable systems, the alert warned.

“All of these other threats don’t get as much attention because they don't shut down schools the way ransomware does,” Liska said. “But schools are getting hit with all other types of malware that are collecting data on students, being used as part of botnets, using school resources to mine for Bitcoin and other kinds of cryptocurrencies. It’s a wide range of things, but all of it is there.”

The alert also highlighted the threat of domain spoofing, in which attackers create a URL that looks legitimate but is actually controlled by them—an example in the report was cottoncandyschoo1.edu instead of cottoncandyschool.edu. Liska said this type of attack would be difficult for a cybercriminal to pull off because the .edu domain is reserved for verified educational institutions—however, an attacker could easily create a .com page that mimics the school’s website, he said.

Liska added that one threat the report didn’t dive into but has been an issue for many schools is distributed denial-of-service attacks. These types of incidents, in which an attacker floods a network with junk traffic to make it inaccessible, have affected several schools in recent months and are mostly launched by students.

The advice issued in the alert mainly consists of basic cybersecurity hygiene, suggesting that many schools falling victim lack the resources or expertise to implement fundamental security measures.

These include patching operating systems and software as soon as manufacturers release updates, regularly change passwords, use multi-factor authentication where possible, implement network segmentation, audit user accounts with administrative privileges, identify critical assets such as student database servers and distance learning infrastructure, and create backups of these systems and house them offline from the network to prevent them from being compromised in ransomware attacks.