The State of K-12 Ransomware

June 10, 2021

K-12 ransomware attacks are increasing in severity – now is the time to get protected

Doug Levin, National Director of the K12 Security Information Exchange (K12 SIX), has dedicated his career to technology and education. This work produced The K-12 Cybersecurity Resource Center or the K-12 Cyber Incident Map, which launched in 2017.

Cataloging and mapping all publicly-disclosed cyber incidents impacting the education industry, the K-12 Cyber Incident Map is a one-of-its-kind, free resource meant to create awareness around the need for better K-12 cybersecurity and privacy policies.

For the third year in a row, Levin has published his annual State of K-12 Cybersecurity: 2020 Year in Review report. As the only one of its kind, this report helps all of us involved in K-12 cybersecurity to stay up to date with what’s happening around the country.

ManagedMethods has been a proud sponsor of Levin’s annual reports since it’s inception. Over the next few weeks, we will be discussing various areas of the report, and what school administration and IT leaders can be doing to address many of the issues raised.

We will also be hosting a free, live webinar with Doug Levin and two school IT leaders on June 17. I invite you to click here to learn more about the webinar and register to attend and/or receive the free recording afterward here. We’d love to see you there!

Since we’ve been exploring school ransomware over the past several weeks, we figured this topic would be a good place to start.

[FREE] K-12 Cybersecurity & Safety Leadership Panel Discussion. REGISTER TODAY >>

2020 Year in Review: Ransomware in Schools

It should come as no surprise that K-12 ransomware attacks are increasing in number and severity. According to the FBI, K-12 districts are now the targets of 57% of ransomware attacks.

Ransomware is a big problem because of the damage it can do. For example, ransomware incidents have had one or more of the following impacts on schools:

  • Disrupt Learning: Some cyber incidents in the past have closed schools like the attack on the Huntsville City Schools in Alabama. Remote learning had to be shut down for weeks while a solution was found and implemented.
  • Cost Taxpayers Money: Schools end up paying a lot of money that wasn’t in the budget to recover from a ransomware attack. They either have to pay the ransom or hire cybersecurity experts to help them retrieve their data—or, in some cases, both.
  • Threaten Student Safety and Data Privacy: Some hackers merely encrypt a school’s data, making it impossible to access. However, it is becoming more common for them to steal the sensitive information that the school stores and sell it or use it for other forms of fraud, extortion, etc.

2020 Year in Review Ransomware Summary

The State of K-12 Cybersecurity: 2020 Year in Review report shows 50 ransomware attacks on U.S. K-12 schools. In addition, eight districts reported attacks that looked like ransomware, but were never officially confirmed. The K-12 Cyber Incident Map showed that the attacks happened in districts spread over 25 states. The report also pointed out that the attacks reported were more severe in several ways:

  • This was the first year since tracking started where some hackers stole data either before or during the ransomware attack. A total of seven districts had personal information of at least 560,00 students and 56,000 staff exposed.
  • No public reports of school districts paying ransoms were made, but all indicators are that the dollar amount of the ransoms demanded increased, sometimes reaching demands of over $1 million per attack.
  • The need to close schools and cancel classes to respond to a ransomware attack tripled over the prior year. Some closures or cancellations lasted more than a week, and districts report an even longer period for repairing and recovering from ransomware attacks.

School Ransomware in the Cloud

One thing that contributes to the increase in K-12 ransomware attacks is the confusion about what districts need to do to protect themselves. Cloud computing is a perfect example of this.

As more schools use cloud apps, such as Google Workspace, Microsoft 365, and others, the need to secure the communications and data in these apps increase. This was a trend that was beginning long before COVID-19 closed down school buildings, but the lock down certainly turbo-charged it.

Unfortunately, few school districts realize that cloud security protections are needed to protect against a variety of cyber threats and internal exposure, including ransomware. As a result, third-party apps ransomware threats, google cloud ransomware incidents, and other types of cloud ransomware are on the rise.

Further, many IT teams assume that cloud vendors such as Google are protecting their data stored in their apps. This is just one of several cybersecurity myths that are harming schools, students, and security. But, SaaS/cloud vendors operate under a shared responsibility model in their licensing. This means that districts are responsible for protecting access to their data against cybercriminals. And, many districts aren’t prepared to do that.

It’s critical that schools take the threat of ransomware in the cloud seriously. Most schools are focused on protecting their perimeter—namely, their network—from intruders. And you should certainly continue to do so. But, the truth is that your Next-Gen firewall and your web content filter aren’t capable of fullying protecting your district’s cloud domain from ransomware and other types of threats like account takeovers. Why?

On a basic level, once someone is able to breach your perimeter security layer, such as with a compromised or weak password or a click on a phishing link, it is far more difficult to detect unauthorized behavior in the cloud compared to on-prem environments. Because cloud apps, storage, etc. aren’t hosted in your network.

[FREE] K-12 Cybersecurity & Safety Leadership Panel Discussion. REGISTER TODAY >>

There are steps you can take to protect your schools from ransomware attacks, including:

  1. Create and maintain a business continuity plan
  2. Establish regular patching schedules
  3. Update password policies
  4. Use multi-factor authentication
  5. Review user privileges regularly
  6. Audit for legitimacy
  7. Protect critical assets
  8. Segment your network
  9. Leverage antivirus and anti-malware solutions
  10. Promote cybersecurity education

There are also some ransomware early warning signs that your team should be able to monitor for, detect, and remediate quickly—both in the cloud and on-prem. These include:

  1. SPAM and phishing emails
  2. Lateral phishing emails
  3. Repeated suspicious login activities
  4. Illegitimate network scanners
  5. Signs of test attacks
  6. Presence of known hacker tools
  7. Attempts to disable Active Directory and domain controllers
  8. Attempts to corrupt backups and/or disable security software
  9. Encryption of a small number of devices

Education is extremely important. You need to educate yourself on the changing cybersecurity and cyber safety landscape to ensure that your plans keep pace with the latest strategies that hackers use. In addition, your community must be made aware of how essential their role is in keeping everyone safe. With everyone working together, your district has a much better chance of sending the hackers packing.

free-panel-discussion-k12-cybersecurity-safety-leadership-series