schoolbus
Image: Getty Images/Unsplash+

Schools in Maine, Indiana and Georgia contend with ransomware attacks

Colleges and K-12 schools in several states are dealing with ransomware incidents causing outages and leaking sensitive data — a continuation of a trend that has affected campuses nationwide throughout the year.

Henry County Schools — a district an hour from Atlanta with dozens of elementary, middle and high schools with more than 44,000 students — told Recorded Future News that it discovered suspicious activity impacting its network operations during the first week of November.

“With the assistance of law enforcement, emergency management, and third-party cybersecurity specialists, we determined that an unauthorized user had gained access to a certain environment on our network,” they said.

A spokesperson shared a link to a county landing page where Superintendent Mary Elizabeth Davis has been providing frequent updates since November 9.

In the latest update posted last Thursday, Davis said the county is still coordinating with the FBI, the Department of Homeland Security and the Georgia Emergency Management Agency.

Davis confirmed the incident involved ransomware and said the hackers did not breach several important student and employee systems, only accessing a “file storage area containing mostly historical procedural documents.”

“I also want to give you an update on the second objective, which has been to securely reconstruct our large and expansive network in order to methodically reintroduce services and applications to our nearly 44,000 students and 6000 employees,” she said, adding that grade reporting tools and planning resources were restored.

End of semester testing resumed with minor changes and students were able to access Chromebooks for the first time in days last week.

On Tuesday, the BlackSuit ransomware gang posted the school to its leak site. The group is alleged to be a rebrand of the Royal ransomware gang, which caused severe damage to the city of Dallas during an attack this summer.

Holiday surge

Ransomware gangs have stepped up their attacks on K-12 schools and colleges as the holiday season approaches. A local news outlet in Bangor, Maine reported on Tuesday that Hermon School Department was also attacked by ransomware actors in early November.

The school is unsure of what data was accessed but said it declined to pay a ransom.

Cybersecurity experts at the Maine Department of Public Safety’s Information Analysis Center allegedly told administrators they were running “outdated Windows 2012” and a “vulnerable instance” of Apache ActiveMQ.

CISA added the vulnerability to its catalog of known exploited bugs last Thursday evening, giving federal civilian agencies until November 23 to address the issue.

Incident responders at the cybersecurity company Rapid7 warned of hackers connected to HelloKitty ransomware exploiting the vulnerability — classified as CVE-2023-46604.

In addition to K-12 attacks, colleges continue to face barrages of attacks that often take months to fully identify.

Taylor University warned students, alumni and employees this week of a ransomware attack that took place in May.

The private evangelical Christian university in Upland, Indiana serves about 2,200 students and sent out breach notification letters this week that on May 18 they discovered a “sophisticated cyberattack.”

An investigation completed on November 16 found that files were accessed from February 26 to May 18. The data included personal information, financial account numbers and card numbers, including PIN numbers.

Allan Liska, a threat intelligence analyst at Recorded Future, said overall he has tracked 246 ransomware attacks on K-12 schools, colleges and universities in 2023, up from 189 attacks last year. The Record is an editorially independent unit of Recorded Future.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.