IT Management

Ransomware Attacks Force School Districts to Shore Up—or Pay Up

By Leo Doran — January 10, 2017 6 min read
BRIC ARCHIVE
  • Save to favorites
  • Print

A big problem was waiting for Matt Jensen, the superintendent of the Bigfork public schools, as he arrived to work on a Monday in November.

His 900-student Montana district was under a cyberattack. A self-replicating computer virus had eaten its way through most of the schools’ servers—including the student-information system—and encrypted huge amounts of data, making it inaccessible to Bigfork employees.

The perpetrators of the breach had also left a disconcerting message for Jensen’s IT director: They were demanding a ransom in exchange for a decryption key that would immediately unlock the data. The alternative to paying up would be to rebuild the district’s data systems from backups or, in a worst-case scenario, from scratch.

Experts have seen a spike in “ransomware” attacks across all sectors of the economy in recent years. Criminals have hit all types of organizations, public and private, including K-12 districts. Multiple strains of the computer virus exist, but most versions of such malware behave much like the type that infected the Bigfork network.

“Ransomware does not discriminate,” said Will Bales, a supervisory special agent in the FBI’s cyber division. “Whether it’s a big school district or a small school district, they have the same possibility of being hit.”

Once the virus has infected a network and scrambled every Word document, spreadsheet, and data file it finds, the people behind the attack will ask for a ransom in bitcoin, an untraceable virtual currency, in return for the decryption key.

But Jensen said he never even considered paying the cybercriminals: “We weren’t going to negotiate with them.”

Even if his district paid the ransom, he said, there would be no iron-clad assurances that the hackers would actually return access to the data. Paying, said Jensen, “would only empower a criminal group.”

‘A Business Decision’

Other ransomware victims haven’t had the luxury of taking Jensen’s hard-line approach. In many cases, the criminals’ ransom request is far smaller than the dollar value of the damage the malware has inflicted.

Some districts have been forced to weigh the ethics of paying a few thousand dollars to untrustworthy and anonymous criminals against surviving for weeks without access to lesson plans, learning software, or student records.

“Paying the ransom was not a philosophical decision, but a business decision,” said Charles Hucks, the executive technology director for South Carolina’s Horry County schools. “What’s it worth per day to not have access for our 43,200 students?”

After his district was critically hit by a ransomware attack last school year, Hucks immediately shut his servers down to stop the spread of the virus. He then urged his bosses, who oversee a half-billion-dollar yearly operating budget, to pay the nearly $10,000 ransom.

Defensive Measures

School districts can take a number of steps to avoid ransomware attacks on their computer systems, including:

• Back up everything, and make sure safeguards are in place so malware cannot easily jump to infect backup systems.

• Make sure network users scrutinize incoming email and report rather than open strange attachments from unsolicited addresses.

• Download software only from secure and trusted sources. Never pirate software from illegal or questionable peer-to-peer websites.

• Have strong access controls. Student accounts shouldn’t have administrative privileges. Internal restrictions on access can prevent a bug from spreading.

• Make sure system updates, including for anti-virus software, are installed regularly.

• Change passwords regularly, and train staff members in best cyberpractices.

• Test your own defenses. Hire a vendor to try to hack the system to find vulnerabilities and address them.

• Have an incident-response plan ready in case something goes wrong.

SOURCES: FBI and BitSight Technologies

Even with the risk that the hackers would take the money and run—Hucks said officials “were horrified” the culprits wouldn’t follow through with a decryption key—the cost and time associated with laboriously rebuilding district networks from compromised backups outweighed all other considerations.

Law-enforcement agencies like the FBI generally discourage hacked organizations from paying ransoms. Special agent Bales agrees with Jensen that doing so only emboldens criminal enterprises.

But in practice, some experts and law-enforcement officials have conceded that acquiescing to the demands can, at times, be in an organization’s best financial interests.

Regardless of whether an organization decides to pay the ransom, Bales and the FBI want to hear from all ransomware victims to gather evidence. Cybercrimes can be reported to the FBI’s local field offices or its website, www.ic3.gov.

In some cases, the FBI or private industry has already found a “key” or antidote to a ransomware strain, and by reporting the attack, organizations have been able to easily recover their files.

But what if a school district, like Horry schools, can’t find a decryption key, and decides to pay the ransom?

“The criminals have an incentive to unlock the data” once they are paid, said Stephen Boyer, a co-founder of BitSight Technologies, a Cambridge, Mass.-based cybersecurity company. The criminals need a track record of victims’ getting their data back, he explained, or new targets will stop paying.

Preventing Future Attacks

That’s not to say that Boyer typically advises his clients to pay the ransom: “That’s a tough question that can only be taken on a case-by-case basis.”

Boyer also cited cases in which a ransom is paid and files are decrypted, but the malware remains in the system, allowing the hackers to come back weeks or months later.

The best defense, Boyer said, is to have strong backups in place, and have outside professionals reset the system and do a full incident report if a district network is compromised.

That was the course of action Jensen used in Montana’s Bigfork district. Bigfork’s network was backed up twice: one set of servers on-site that was compromised in the attack, and another housed by an outside vendor that was spared. It took Jensen’s technology team a week to restore all its systems and ensure the computer systems were clean.

In South Carolina, the hackers of the Horry County district came through with a working decryption key soon after the ransom was paid. Hucks was able to get the “mission critical” functions of his servers—like the district’s student-information system—back up in days.

The ultimate damage to the school system was a two- to three-week disruption and $30,000 from its budget. In addition to the ransom, the district hired cybersecurity consultants to ensure the malware had been expunged and the criminals could not come back through the same weaknesses in the network.

The Horry County attack was widely publicized in the weeks following its resolution, and Hucks was invited to testify before Congress about the ransomware threat.

For both school districts, as is common in such cases, the crimes were reported but the perpetrators went undiscovered. Like other cybercrimes, ransomware attacks can be difficult to trace. They often originate overseas, sometimes in countries that do not have extradition treaties with the United States.

That’s why more districts should be focusing on preventive measures, said Boyer, the cybersecurity expert.

His firm compiled a report that sampled the IT infrastructure of thousands of organizations in the education, government, health-care, energy, retail, and finance sectors to gauge their exposure to ransomware. It found that educational institutions and companies had the highest rate of ransomware infection.

Opportunistic Hackers

Small technology budgets, less emphasis on cybersecurity, and bring-your-own-device policies in schools make it harder to establish uniform firewalls and contribute to the challenges of protecting ed-tech infrastructure, Boyer said.

Bales, of the FBI, agreed that districts have a lot of ground to cover: “Faculty, students, every single person who is connected to a school network is a potential liability.”

Although some of the attacks are targeted, and higher education is more at risk than K-12 systems—universities tend to have larger networks and more financial wherewithal to pay ransom demands—Boyer’s team has found the attacks are usually “more opportunistic than targeted.”

That means that rather than singling out victims, hackers might blast out thousands of emails with compromised links or attachments to thousands of organizations. That process, called “phishing,” allows hackers to prey on groups with the weakest controls and requires only a small proportion of the emails’ recipients to fall for the trap.

For hackers, “even a one percent rate can be very lucrative,” said Boyer.

The relatively small individual ransom payments add up quickly, he explained, and in addition to making it more likely that a targeted group will pay, small sums tend to draw less attention and resources from law enforcement.

The good news for harried school district technology systems chiefs? Reducing risk exposure to ransomware attacks is relatively straightforward. (See box, this page.)

“It’s not cutting-edge,” Boyer said of the standard preventive measures. “If you are doing the basic blocking and tackling of network security, your risk goes way down.”

A version of this article appeared in the January 11, 2017 edition of Education Week as Ransomware Attacks Force School Districts To Shore Up — or Pay Up

Events

Classroom Technology Webinar Building Better Blended Learning in K-12 Schools
The pandemic and the increasing use of technology in K-12 education it prompted has added renewed energy to the blended learning movement as most students are now learning in school buildings (and will likely continue

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
IT Management Whitepaper
The State of Interoperability and Privacy in the K12 Sector
Project Unicorn is excited to release their State of the Sector report which provides an analysis of the current state of interoperabilit...
Content provided by InnovateEDU
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
IT Management Sponsor
The State of Interoperability and Privacy in the K12 Sector
What could students achieve if their education data was made available in a way that empowered them to set and meet their own learning go...
Content provided by InnovateEDU
IT Management Tech Purchasing Decisions Are Super Hard. New Initiative Aims to Help
ISTE and other education technology organizations are creating a hub to give district leaders in-depth information about tech products.
2 min read
Image of person's hands using a laptop and writing in a notebook
Chonlachai/Getty
IT Management From Our Research Center 'Is This Going to Piss People Off?' How to Make Tough Tech Decisions
The reopening of schools carries with it a host of technology decisions that could have an outsized impact on students' and teachers' lives.
9 min read
In this file photo from September 2020, Kristen Giuliano, a seventh-grade social studies teacher at Dodd Middle School in Cheshire, Conn., assists Jane Wood, 11, during a hybrid class session.
Kristen Giuliano, a 7th grade social studies teacher at Dodd Middle School in Cheshire, Conn., assists Jane Wood, 11, during a hybrid class session in September 2020.
Dave Zajac/Record-Journal via AP