photo illustration of desks
(Image: MChe Lee/Illustration: The Record)

LA public schools hit with back-to-school ransomware attack

The second largest public school district in the U.S. was targeted in a ransomware attack over Labor Day weekend, continuing a trend of cybercriminals attacking the education sector around holidays and the back-to-school season. 

Los Angeles Unified School District (LAUSD) first publicly reported “technical issues of an external source” Monday night, noting some services — including email — were disrupted. Then it confirmed a ransomware attack, but said schools would be open as normal Tuesday, despite “significant disruption” to the district’s systems. 

Experts said that staying open is a good sign. 

“They are apparently getting enough systems to work that they don’t have to close,” explained Recorded Future intel analyst and ransomware researcher Allan Liska. 

LAUSD served an estimated 574,570 students across early education, elementary, secondary, and adult education classes in the 2021-2022 school year, according to the district’s data. It operates more than 1,400 schools and educational centers while employing more than 73,000 people. 

In a statement posted to its website, the District said it believed payroll and health coverage would not be disrupted, but noted some “business operations may be delayed or modified.”

LAUSD also said it’s working with local police and federal agencies to mitigate and investigate the attack. 

“After the District contacted officials over the holiday weekend, the White House brought together the Department of Education, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies,” the statement said.  

A known problem 

Educational institutions have struggled in recent years to respond to a wave of ransomware attacks at the same time the Covid-19 pandemic has made schools more dependent on digital tools to deliver learning.

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI on Tuesday warned that they “anticipate attacks may increase” against the education sector as the school year begins. The agencies specifically offered guidance against a ransomware group known as Vice Society.

“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk,” the alert said. 

Cybercriminals may see K-12 institutions “as particularly lucrative targets” due to sensitive student information they hold, the agencies warned.

A Government Accountability Office report released last November also warned that schools were increasingly victims of ransomware attacks and urged the Department of Education to update its guidance to schools about digital security risks, which was last issued in 2010. 

There have already been 103 ransomware attacks on educational institutions so far this year, according to data tracked by Liska. That’s still below the 161 tracked in 2022, but it may exceed that figure before the end of the year — especially given seasonal trends. 

Cybercriminals, he said, have learned to time their attacks around when they can cause the most disruption, including at the beginning of semesters and around holidays — including Labor Day. 

These patterns also suggest vigilance is key. 

“We know that these back-to-school ransomware attacks are going to happen. They’re predictable. And that also means they’re preventable,” Brett Callow, threat analyst at Emsisoft, told The Record. “Districts need to up their security game so that compromises can be detected and mitigated before they become full-blown ransomware attacks.”

LAUSD said it is in the process of improving security in response to the attacks, including a forensic review and creating an Independent Information Technology Task Force charged with developing recommendations within 90 days.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Andrea Peterson

Andrea Peterson

(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.