IT Infrastructure & Management

Ransomware Attacks Force School Districts to Shore Up—or Pay Up

By Leo Doran — January 10, 2017 6 min read
BRIC ARCHIVE
  • Save to favorites
  • Print

A big problem was waiting for Matt Jensen, the superintendent of the Bigfork public schools, as he arrived to work on a Monday in November.

His 900-student Montana district was under a cyberattack. A self-replicating computer virus had eaten its way through most of the schools’ servers—including the student-information system—and encrypted huge amounts of data, making it inaccessible to Bigfork employees.

The perpetrators of the breach had also left a disconcerting message for Jensen’s IT director: They were demanding a ransom in exchange for a decryption key that would immediately unlock the data. The alternative to paying up would be to rebuild the district’s data systems from backups or, in a worst-case scenario, from scratch.

Experts have seen a spike in “ransomware” attacks across all sectors of the economy in recent years. Criminals have hit all types of organizations, public and private, including K-12 districts. Multiple strains of the computer virus exist, but most versions of such malware behave much like the type that infected the Bigfork network.

“Ransomware does not discriminate,” said Will Bales, a supervisory special agent in the FBI’s cyber division. “Whether it’s a big school district or a small school district, they have the same possibility of being hit.”

Once the virus has infected a network and scrambled every Word document, spreadsheet, and data file it finds, the people behind the attack will ask for a ransom in bitcoin, an untraceable virtual currency, in return for the decryption key.

But Jensen said he never even considered paying the cybercriminals: “We weren’t going to negotiate with them.”

Even if his district paid the ransom, he said, there would be no iron-clad assurances that the hackers would actually return access to the data. Paying, said Jensen, “would only empower a criminal group.”

‘A Business Decision’

Other ransomware victims haven’t had the luxury of taking Jensen’s hard-line approach. In many cases, the criminals’ ransom request is far smaller than the dollar value of the damage the malware has inflicted.

Some districts have been forced to weigh the ethics of paying a few thousand dollars to untrustworthy and anonymous criminals against surviving for weeks without access to lesson plans, learning software, or student records.

“Paying the ransom was not a philosophical decision, but a business decision,” said Charles Hucks, the executive technology director for South Carolina’s Horry County schools. “What’s it worth per day to not have access for our 43,200 students?”

After his district was critically hit by a ransomware attack last school year, Hucks immediately shut his servers down to stop the spread of the virus. He then urged his bosses, who oversee a half-billion-dollar yearly operating budget, to pay the nearly $10,000 ransom.

Defensive Measures

School districts can take a number of steps to avoid ransomware attacks on their computer systems, including:

• Back up everything, and make sure safeguards are in place so malware cannot easily jump to infect backup systems.

• Make sure network users scrutinize incoming email and report rather than open strange attachments from unsolicited addresses.

• Download software only from secure and trusted sources. Never pirate software from illegal or questionable peer-to-peer websites.

• Have strong access controls. Student accounts shouldn’t have administrative privileges. Internal restrictions on access can prevent a bug from spreading.

• Make sure system updates, including for anti-virus software, are installed regularly.

• Change passwords regularly, and train staff members in best cyberpractices.

• Test your own defenses. Hire a vendor to try to hack the system to find vulnerabilities and address them.

• Have an incident-response plan ready in case something goes wrong.

SOURCES: FBI and BitSight Technologies

Even with the risk that the hackers would take the money and run—Hucks said officials “were horrified” the culprits wouldn’t follow through with a decryption key—the cost and time associated with laboriously rebuilding district networks from compromised backups outweighed all other considerations.

Law-enforcement agencies like the FBI generally discourage hacked organizations from paying ransoms. Special agent Bales agrees with Jensen that doing so only emboldens criminal enterprises.

But in practice, some experts and law-enforcement officials have conceded that acquiescing to the demands can, at times, be in an organization’s best financial interests.

Regardless of whether an organization decides to pay the ransom, Bales and the FBI want to hear from all ransomware victims to gather evidence. Cybercrimes can be reported to the FBI’s local field offices or its website, www.ic3.gov.

In some cases, the FBI or private industry has already found a “key” or antidote to a ransomware strain, and by reporting the attack, organizations have been able to easily recover their files.

But what if a school district, like Horry schools, can’t find a decryption key, and decides to pay the ransom?

“The criminals have an incentive to unlock the data” once they are paid, said Stephen Boyer, a co-founder of BitSight Technologies, a Cambridge, Mass.-based cybersecurity company. The criminals need a track record of victims’ getting their data back, he explained, or new targets will stop paying.

Preventing Future Attacks

That’s not to say that Boyer typically advises his clients to pay the ransom: “That’s a tough question that can only be taken on a case-by-case basis.”

Boyer also cited cases in which a ransom is paid and files are decrypted, but the malware remains in the system, allowing the hackers to come back weeks or months later.

The best defense, Boyer said, is to have strong backups in place, and have outside professionals reset the system and do a full incident report if a district network is compromised.

That was the course of action Jensen used in Montana’s Bigfork district. Bigfork’s network was backed up twice: one set of servers on-site that was compromised in the attack, and another housed by an outside vendor that was spared. It took Jensen’s technology team a week to restore all its systems and ensure the computer systems were clean.

In South Carolina, the hackers of the Horry County district came through with a working decryption key soon after the ransom was paid. Hucks was able to get the “mission critical” functions of his servers—like the district’s student-information system—back up in days.

The ultimate damage to the school system was a two- to three-week disruption and $30,000 from its budget. In addition to the ransom, the district hired cybersecurity consultants to ensure the malware had been expunged and the criminals could not come back through the same weaknesses in the network.

The Horry County attack was widely publicized in the weeks following its resolution, and Hucks was invited to testify before Congress about the ransomware threat.

For both school districts, as is common in such cases, the crimes were reported but the perpetrators went undiscovered. Like other cybercrimes, ransomware attacks can be difficult to trace. They often originate overseas, sometimes in countries that do not have extradition treaties with the United States.

That’s why more districts should be focusing on preventive measures, said Boyer, the cybersecurity expert.

His firm compiled a report that sampled the IT infrastructure of thousands of organizations in the education, government, health-care, energy, retail, and finance sectors to gauge their exposure to ransomware. It found that educational institutions and companies had the highest rate of ransomware infection.

Opportunistic Hackers

Small technology budgets, less emphasis on cybersecurity, and bring-your-own-device policies in schools make it harder to establish uniform firewalls and contribute to the challenges of protecting ed-tech infrastructure, Boyer said.

Bales, of the FBI, agreed that districts have a lot of ground to cover: “Faculty, students, every single person who is connected to a school network is a potential liability.”

Although some of the attacks are targeted, and higher education is more at risk than K-12 systems—universities tend to have larger networks and more financial wherewithal to pay ransom demands—Boyer’s team has found the attacks are usually “more opportunistic than targeted.”

That means that rather than singling out victims, hackers might blast out thousands of emails with compromised links or attachments to thousands of organizations. That process, called “phishing,” allows hackers to prey on groups with the weakest controls and requires only a small proportion of the emails’ recipients to fall for the trap.

For hackers, “even a one percent rate can be very lucrative,” said Boyer.

The relatively small individual ransom payments add up quickly, he explained, and in addition to making it more likely that a targeted group will pay, small sums tend to draw less attention and resources from law enforcement.

The good news for harried school district technology systems chiefs? Reducing risk exposure to ransomware attacks is relatively straightforward. (See box, this page.)

“It’s not cutting-edge,” Boyer said of the standard preventive measures. “If you are doing the basic blocking and tackling of network security, your risk goes way down.”

A version of this article appeared in the January 11, 2017 edition of Education Week as Ransomware Attacks Force School Districts To Shore Up — or Pay Up

Events

Jobs Virtual Career Fair for Teachers and K-12 Staff
Find teaching jobs and other jobs in K-12 education at the EdWeek Top School Jobs virtual career fair.
Ed-Tech Policy Webinar Artificial Intelligence in Practice: Building a Roadmap for AI Use in Schools
AI in education: game-changer or classroom chaos? Join our webinar & learn how to navigate this evolving tech responsibly.
Education Webinar Developing and Executing Impactful Research Campaigns to Fuel Your Ed Marketing Strategy 
Develop impactful research campaigns to fuel your marketing. Join the EdWeek Research Center for a webinar with actionable take-aways for companies who sell to K-12 districts.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

IT Infrastructure & Management Leader To Learn From Through Wars, Tornadoes, and Cyberattacks, He's a Guardian of Student Privacy
Jun Kim, the technology director in Moore, Okla., works to make the most of innovations—without endangering student data.
11 min read
Jun Kim, Director of Technology for Moore Public Schools, center, leads a data privacy review meeting on Dec. 13, 2023 in Moore, Okla.
Jun Kim, director of technology for the Moore public schools in Moore, Okla., leads a data privacy review for staff.
Brett Deering for Education Week
IT Infrastructure & Management One Solution to Maintaining 1-to-1 Devices? Pay Students to Repair Them
Hiring students to help with the repair process is one way school districts are ensuring the sustainability of their 1-to-1 programs.
4 min read
Sawyer Wendt, a student intern for the Altoona school district’s IT department, repairs a Chromebook.
Sawyer Wendt, who's been a student intern for the Altoona district's tech department since junior year, is now studying IT software development in college.
Courtesy of Jevin Stangel, IT technician for the Altoona school district
IT Infrastructure & Management Schools Get Relief on Chromebook Replacements. Google Extends Device Support to 10 Years
Schools have typically had to replace Chromebooks every three to five years.
4 min read
Photo of teacher working with student on laptop computer.
iStock / Getty Images Plus
IT Infrastructure & Management What We Know About District Tech Leaders, in Charts
Male chief technology officers in K-12 tend to come from technological backgrounds while most female tech leaders are former teachers.
1 min read
Illustration concept of leadership, using wooden cut-out figures and arrows.
Liz Yap/Education Week via Canva