Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/16/2019
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Ransomware 'Crisis' in US Schools: More Than 1,000 Hit So Far in 2019

Meanwhile, the mayor of the city of New Orleans says no ransom money demands were made as her city struggles to recover from a major ransomware attack launched last week.

Ransomware attacks have continued pummeling US schools, with 11 new school districts 226 schools hit since October, while major US cities such as New Orleans and Pensacola gradually recover from attacks this month.

New data due to be published today by security firm Armor shows a total of 72 US school districts or individual educational institutions so far have suffered ransomware attacks this year, which means the number of victimized schools could be at 1,040 to date. Even more unnerving: 11 of those school districts some 226 schools have been attacked just since late October.

Those are only the school districts whose ransomware attacks have gone public, and Armor expects the victim head count to rise. Among the 11 school districts hit most recently, just one said it had paid a ransom Port Neches-Groves Independent School District in Port Neches, Texas but it has not disclosed publicly the ransom amount. Three of the recent victim school districts Wood County in Parkersburg, West Virginia; Penn-Harris-Madison in Mishawaka, Indiana; and Claremont Unified School District in Claremont, California — announced they have no plans to pay the ransomware. The remaining seven districts have not shared their plans publicly.

School systems are just behind municipalities when it comes to ransomware attacks, according to Armor's findings: Cities and municipalities still are the No. 1 victim, with some 82 this year suffering attacks. Healthcare organizations are the third-most hit, with 44 cases this year, and managed service providers and cloud-based providers next in line, with 18 cases, according to the report.

New Orleans, which was hit Friday morning, December 13, by what some security experts say may have been the infamous Ryuk strain of ransomware that has been on a tear this year, today still was operating on a manual basis for many of its services after the city took most of its key services offline and has been in the process of cleaning up and investigating some 4,000 computers in its response to the attack. In a local television interview today posted on the City of New Orleans Twitter page, Mayor Latoya Cantrell said there was no "official ask" of ransom and that the city is in recovery mode and had been preparing for such an attack. She said she's not sure if it's related to the attack that hit the state in July, and led to the Louisiana Gov. John Bel Edwards declaring a state of emergency.

Kim LaGrue, the city's CISO, told news site NOLA.com that the attack appears to have begun with a phishing email, the site reported. The city's police department is currently unable to run background checks for citizens, and for now is documenting law enforcement incidents manually.

Pensacola reportedly faces a $1 million ransom demand, and city officials are investigating how to handle the ransom response, The Associated Press reported. No official word from the city yet on the strain of malware involved, but some experts reportedly are pointing to the possibility of Maze ransomware.

"With schools, municipalities, and healthcare, the common threat is a very low tolerance for any kind of downtime," says Chris Hinkley, who heads up Armor's Threat Resistance Unit (TRU) team. "They are all very tech-dependent, and also serve a lot of people, in most cases with taxpayer money. So there's a sense of urgency. ... Attackers have clued into that and it translates into a higher probability of payment."

These organizations also often lack security resources and funding to build out strong security infrastructures. Even so, attackers are finding them not only easy to dupe into responding to their phishing lures but also to infect via vulnerable systems that don't have sufficient detection and prevention layers. What ends up getting them to cough up ransom in some cases is public pressure to get back up and running quickly.

While attackers targeting a less lucrative organization such as a public entity rather than a corporate one may sound counterintuitive, Hinkley says it actually makes sense when it comes to the probability of a ransom payment. "At the end of the day, these [victims] are going to find the money if it means having their data or back or not. You can't teach these kids if you lose funding, and if you can't process taxes or issue driver's licenses, or whatever, you're going to find the money."

And the goal of ransomware, of course, is to get paid and hopefully get rich. "The common threat is how much money can we make in the shortest amount of time" and maximize profits, he says.

Security firm Emsisoft calls this wave of ransomware attacks a "crisis" situation. The security firm posted its own data over the weekend, noting that some 948 government agencies, educational institutions, and healthcare organizations in the US have suffered ransomware attacks this year, resulting in some $7.5 billion in costs. In the education sector, it counted 86 universities, colleges, and school districts affected, or some 1,224 schools. Healthcare was No. 1 victim in Emsisoft's list, with 759 victims, followed by federal, state, and municipal governments with 103 victim agencies.

Interestingly, Armor's report shows that some school districts now carry cyber insurance policies to help ease the financial burdens of a ransomware attack.

While cyber insurance can provide a cushion for victims, the downside is that it also encourages the attackers who get emboldened by ransom payments, Hinkley notes. "And now they have more funds to go and attack another target," he says.

Emsisoft in a recent blog posts argues for governments to curb ransom payments. "While a blanket ban may not be practical, government should certainly consider legislating to prevent public agencies paying ransoms when other recovery options are available to them. While this may increase costs initially, it would be less expensive in the longer term," the company, which is based in New Zealand, said in its post. "It seems bizarrely inconsistent that the U.S. government has a no-concessions policy in relation to human ransoms but places no restrictions whatsoever on data ransoms."

John Carlin, chair of Morrison and Foerster's Global Risk and Crisis Management Group, notes that no-pay policies should become standard practice. "It is a difficult decision, but continuing to pay causes the criminal market to surge and will just lead to more attacks," he says. "If that becomes the policy though, we should support state and localities with additional federal funding and assistance to ensure the best protection against ransomware: resilient systems."

He says insurers also could provide incentives for "resilience" to ransomware attacks.

Microsoft, meanwhile, also discourages paying ransom. "The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored," said Ola Peters, senior cybersecurity consultant with the Microsoft Detection and Response Team, in a new post about ransomware payments.

Schooled by Ransomware
Parkersburg, West Virginia-based Wood County Schools has no plans to pay ransom for an attack that hit the district on November 7, even though it has a cyber insurance policy that could cover some of the costs. Teachers and administrators couldn't access files, voice-over-IP phones were down, and the school's automated door system failed to open and close properly.

In Texas, Port Neches-Groves Independent School District decided to pay up an undisclosed ransom to get its files back after a November 12 attack. The school also has cyber insurance. Claremont, California's school district lost its email and Internet services during a November 21 attack that required all computers to be remediated in the system, and left the district without Internet services as of early December.

Ransomware attackers encrypted a server containing sensitive employee information at Maine's School Administrative District #6 in Buxton, and it was unclear if the attackers actually pilfered the information as well Social Security numbers, birth dates, mailing addresses, banking information, and income information.

Other recently hit school districts include Livingston New Jersey School District; Sycamore School District 427 in DeKalb, Illinois; Lincoln County in Brookhaven, Mississippi; San Bernardino City Unified School District in San Bernardino, California; and Las Cruces Public Schools in Las Cruces, New Mexico.

School or municipality size doesn't matter to the attackers, who sometimes are piggybacking off of cloud application or service providers they've infiltrated, experts note. "We've seen very big and small cities attacked," Hinkley notes.

The usual best practices for thwarting ransomware include the requisite offline data backups, whitelisting, behavior monitoring, endpoint protection, and security awareness training and establishing an internal culture of security, according to Armor.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.