Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/13/2020
01:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Pandemic Could Make Schools Bigger Targets of Ransomware Attacks

Most have had to implement distance learning, making them much more vulnerable, Armor says.

Schools and colleges could become big ransomware targets for attackers looking to exploit the sudden surge in distance learning caused by the COVID-19 pandemic.

Between Jan. 1 and April 8, at least 17 school districts and colleges — comprising 284 entities — were hit by ransomware attacks. That was more than double the total of eight school districts and colleges that were hit in similar attacks during the same period last year, security vendor Armor said in a report this week.

All but one of the attacks happened before individual states began implementing stay-at-home orders in the second half of March. So, at least this far, the attacks have not been pandemic-related. But that could change soon, says Chris Hinkley, head of the Counter Threat Unit (CTU) research team at Armor.

"There is a very strong possibility that the [ransomware] attacks against schools and colleges will increase," Hinkley says.

Attackers know that academic institutions cannot fall back to teaching students in person and therefore are more likely to be pressured into paying a ransom to regain access to their systems. Additionally, IT staff at school districts and colleges are likely going to be overloaded supporting distance-learning measures and are not monitoring their networks as closely as they might have otherwise.

"We do believe that the ransomware threat actors will continue their activity and certainly will not curb it, as this situation gives them an advantage," Hinkley says.

Already this year, educational institutions have been more heavily targeted than organizations in almost any other sector. According to Armor, there have been more attacks on schools and colleges this year than on municipal governments, which were the most heavily targeted entities in 2019. Between Jan. 1, 2019, and this month, a total of 94 school districts comprising some 1,150 schools have been impacted by ransomware attacks.

In several of these incidents, school districts were forced to pull their distance-learning platforms offline following a ransomare attack. As one example, Armor pointed to an incident at Indiana's Penn-Harris-Madison School Corp. in late 2019 that knocked out all internal network systems districtwide. The systems that were impacted in the attack included Canvas, an online platform that students use to access and submit work, and Skyward, a platform for tracking attendance and sharing information with families.

In similar attacks at the Las Cruces Public Schools system in New Mexico and Havre Public Schools in Montana last year, the districts were forced to take their entire networks offline for days following separate ransomware attacks.

In some incidents, school districts have been forced to do the same as a precautionary measure after a ransomware attack. The Nacogdoches Independent School District in Texas, for instance, last year opted to pull the plug on its entire computer network for days to minimize damage after attackers locked down files on some of its PCs.

Slow Recovery
As with organizations in other sectors, the time frame for a school district or college to recover from a ransomware attack has tended to vary depending on the school's data and system backups, as well as the extent of the damage that was done to its network, servers, and devices. "However, overall, we have not seen schools recover quickly" compared to organizations in other industries, Hinkley says.

Of the 17 school districts and colleges that were hit in ransomware attacks this year, only two publicly stated they were not going to pay, Hinkley says. It's unclear whether any of the others paid a ransom to get back access to their systems.

"We do believe the costs for recovery and to resume in a stable, functional state will depend on the reliability and extensiveness of the school's backup system, the breadth of the damage created, and the security protections needed to prevent a similar attack from happening a second time," Hinkley says.

A report by Absolute last year, based on anonymized data from over 3.2 million endpoint devices in schools, found that technology complexity has heightened the risk of data breaches and ransomware attacks at many schools. The security vendor found that over the past few years, many schools have gone from managing a few hundred devices, a handful of apps, and a couple of operating systems to managing hundreds of versions of operating systems, apps, and extensions, and thousands of systems.

"The diversity of device types, operating systems, and applications adds unprecedented complexity to today's digital districts and campuses," Absolute said.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "When All Behavior is Abnormal, How Do We Detect Anomalies?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TomBrookes
100%
0%
TomBrookes,
User Rank: Strategist
7/15/2020 | 7:26:06 AM
School?
I have been studying remotely for quite some time. If I don't have time to do something with the assignment or don't understand what to do, I first turn to the site, see more, so that they help me understand the materials for the university. This is very convenient, the grades have become very high, so the online training mode is already the best option for me.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/12/2020 | 9:50:06 AM
Re: Interesting post

Our students often made attacks on servers with grades and personal data...This factor should be legitimate and free. This is the right way to identify malicious attacks - lafnian1990,

I was not sure if you saw that, but I reiterated that we need to strike a balance between the kids and the admin staff to work together to address some of the issues found on the network, not just malicious attacks, but attacks that were found open from untrained staffe members who place IOT devices on the network and don't provide a "secured template" (this is from an admin perspective).

The kids on the other hand (who have been identified as being talented) need to be put in a sandbox (once they have been identified) so they can hack away, I do think learning comes from various sources but I don't think the kids need to be the only source of knowledge when it comes to malicious attacks, there needs to be an oversight group (remote monitoring), proper training, develop a sandbox for testing, educate the students about white-hat processes (provide them with proper guidance), follow system hardening practices (DISA Stigs) and work collaboratively together to identify potential holes.

Now this is the way as a group we need to mitigate attacks from various educational sectors, not just one source but a collective source of thought and guidance.

The Hacker School Experience | WIRED

T
tdsan
50%
50%
tdsan,
User Rank: Ninja
4/16/2020 | 2:01:13 PM
Interesting post
I think with the schools, it is the administrative staff that does not put emphasis (money) into the schools IT, education and training. They are more concerned with the bottom-line as opposed to external threats.

For example, a number of applications that I identified still had the admin user name and password, no one took the time to change it and there are a number of applications and devices that are still set to default settings, they just take it out fo the box, configure it for the network and attach it for kids to use.

Ransomware Hit Over 1,000 U.S. Schools in 2019

In addition, the kids who are in the schools have been causing some of the attacks because they have found holes or vulnerabilities where they continue to exploit and use for their own purposes.

What needs to happen is that for every device that enters into the school, there needs to be a preconfigured template they use (planning will play a big part) and then deploy the solution without intervention from the admin IT staff (that is usually one person who has been appointed to do the job), provide adequate training to people who have done this before and look into other applications other than Windows (someone said that if the schools would create a team of well trained students to help with the Ransomeware issue, they could help the admin staff - a type of project - address the IT needs, empowering the school and the kids as well).

Todd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.