1.844.825.8389
Contact Us

The increase
in school
ransomware
attacks

Author: A. J. O'Connell

School cyber attacks are on the rise worldwide, perhaps exacerbated by a pandemic that forced schools worldwide to pivot and utilize more digital resources. Just one 2022 attack was responsible for the websites of 5,000 schools, mostly in the U.S., going offline. Verizon's 2022 Data Breach Report (DBIR) found ransomware attacks accounted for over 30% of breaches in the education sector. The Cybersecurity and Infrastructure Security Agency even issued a special alert on threats against schools resulting in disruptions and data theft.

It is actually difficult to know exactly how many school ransomware attacks actually occur in a given year, since schools are not required to report cyber attacks, even to the families of students. As a result, the nonprofit K12 Security Information Exchange (K12 SIX) documented only 62 publicly disclosed ransomware attacks on K-12 schools in the U.S. in 2021, though there may be a number of other incidents that were not publicly reported.

Cyber attacks on schools are costly. They can force schools to close for days while the threat is dealt with and could lead to sensitive data being accessed by criminals.

Why do school ransomware attacks happen so often?

One of the reasons threat actors attack schools—particularly public school districts—is because they are working with limited budgets and often lack the resources or personnel to detect or respond to attacks quickly or adequately. Local school districts can sometimes be behind the curve when it comes to technology. For example, last November, the Government Accountability Office warned the U.S. Department of Education that its plan for addressing risks in school is years out of date and needs to be updated to include current cyber threats and more specific guidance around cyber security.

To add to the burden on school IT departments, school networks can be accessed by a large number of devices, some of which go home with students or are used for remote learning. At least one percent of attacks on schools are perpetrated for "fun." Think: students attacking their own school for kicks, such as one student's Rickroll of an entire school district in 2021.

There's another reason criminals are targeting schools: the bottom line. Take the Judson Independent School District in Bexar County, Texas. The district paid cyber criminals $547,000 last August after it was the victim of a school ransomware attack. Schools are often under considerable political pressure to remain open and typically have limited options for data recovery, so they are seen as being more willing to pay.

How ransomware is used against schools in 2022

The other major reason why school ransomware attacks can be so effective for the attackers: student information. This information, which schools take pains to keep private, has caused hackers to change their tactics in a few key ways.

"I'm telling your parents"

In a classic ransomware attack, attackers target an organization, tricking someone into opening a malicious email attachment or website through an email phishing campaign. According to the DBIR, ransomware is most often transmitted through desktop sharing or email. The ransomware then locks the organization out of their systems, threatening to either not return the data or publish it online if the organization doesn't pay a ransom, usually in cryptocurrency.

Generally, these demands are made against the organization, but a school ransomware attack offers the hacker another attractive target: parents. Criminals have recently started using stolen data to find and contact parents of children in the school district by phone or email. If the school or district doesn't pay up, the ransomware gang will release information about the student on the dark web. It's more than just a threat; reports find the dark web is full of the personal details of schoolchildren, mostly obtained through ransomware attacks. Some attackers even post student information on their websites.

Double and triple extortion

Discontent with one payday, criminals have started trying to get two payments from schools—or sometimes even three, according to K12 SIX.

Double extortion happens when criminals steal a school's data before the malware encrypts the data. They then ask for one ransom for the decryption key and one ransom to ensure that they delete the victim's data. Of course, that confirmation is verbal, so the schools just have to take the criminals' word for it.

Triple extortion happens when the attackers use the information they've gotten from the school in an attempt to extort students' families; the new ransomware op ALPHV/BlackCat is known for triple extortion using DDoS attacks.

How can schools protect students and data?

With all this going on, it's understandable that schools are looking for ways to protect data against attack. For schools with a limited budget, one of the best ways to resist a school ransomware attack is education. The DBIR reports that about half the attacks on schools involve social engineering. Thus, staff should be made aware of phishing tactics and shown how to spot a suspicious message. Students should be taught good cyber hygiene as well.

Two-factor authentication is another important measure that can cut down on malware attacks, including ransomware. If a phishing attack does succeed and credentials are exposed, using more than one method of authentication can protect a system from an attack.

Attackers can also take advantage of unpatched vulnerabilities in widely used applications. Ensuring the latest patches are deployed should be a priority for K-12 IT departments.

Lastly, districts should be backing up data regularly. While schools may not be able to control the actions of criminals after data is stolen, backups can at least ensure that no data is lost. To learn more about cyber threats to schools, explore Verizon’s 2022 Data Breach Investigations Report.

The author of this content is a paid contributor for Verizon.