Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:00 PM
Connect Directly

Ransomware 'Crisis' in US Schools: More Than 1,000 Hit So Far in 2019

Meanwhile, the mayor of the city of New Orleans says no ransom money demands were made as her city struggles to recover from a major ransomware attack launched last week.

Ransomware attacks have continued pummeling US schools, with 11 new school districts 226 schools hit since October, while major US cities such as New Orleans and Pensacola gradually recover from attacks this month.

New data due to be published today by security firm Armor shows a total of 72 US school districts or individual educational institutions so far have suffered ransomware attacks this year, which means the number of victimized schools could be at 1,040 to date. Even more unnerving: 11 of those school districts some 226 schools have been attacked just since late October.

Those are only the school districts whose ransomware attacks have gone public, and Armor expects the victim head count to rise. Among the 11 school districts hit most recently, just one said it had paid a ransom Port Neches-Groves Independent School District in Port Neches, Texas but it has not disclosed publicly the ransom amount. Three of the recent victim school districts Wood County in Parkersburg, West Virginia; Penn-Harris-Madison in Mishawaka, Indiana; and Claremont Unified School District in Claremont, California — announced they have no plans to pay the ransomware. The remaining seven districts have not shared their plans publicly.

School systems are just behind municipalities when it comes to ransomware attacks, according to Armor's findings: Cities and municipalities still are the No. 1 victim, with some 82 this year suffering attacks. Healthcare organizations are the third-most hit, with 44 cases this year, and managed service providers and cloud-based providers next in line, with 18 cases, according to the report.

New Orleans, which was hit Friday morning, December 13, by what some security experts say may have been the infamous Ryuk strain of ransomware that has been on a tear this year, today still was operating on a manual basis for many of its services after the city took most of its key services offline and has been in the process of cleaning up and investigating some 4,000 computers in its response to the attack. In a local television interview today posted on the City of New Orleans Twitter page, Mayor Latoya Cantrell said there was no "official ask" of ransom and that the city is in recovery mode and had been preparing for such an attack. She said she's not sure if it's related to the attack that hit the state in July, and led to the Louisiana Gov. John Bel Edwards declaring a state of emergency.

Kim LaGrue, the city's CISO, told news site NOLA.com that the attack appears to have begun with a phishing email, the site reported. The city's police department is currently unable to run background checks for citizens, and for now is documenting law enforcement incidents manually.

Pensacola reportedly faces a $1 million ransom demand, and city officials are investigating how to handle the ransom response, The Associated Press reported. No official word from the city yet on the strain of malware involved, but some experts reportedly are pointing to the possibility of Maze ransomware.

"With schools, municipalities, and healthcare, the common threat is a very low tolerance for any kind of downtime," says Chris Hinkley, who heads up Armor's Threat Resistance Unit (TRU) team. "They are all very tech-dependent, and also serve a lot of people, in most cases with taxpayer money. So there's a sense of urgency. ... Attackers have clued into that and it translates into a higher probability of payment."

These organizations also often lack security resources and funding to build out strong security infrastructures. Even so, attackers are finding them not only easy to dupe into responding to their phishing lures but also to infect via vulnerable systems that don't have sufficient detection and prevention layers. What ends up getting them to cough up ransom in some cases is public pressure to get back up and running quickly.

While attackers targeting a less lucrative organization such as a public entity rather than a corporate one may sound counterintuitive, Hinkley says it actually makes sense when it comes to the probability of a ransom payment. "At the end of the day, these [victims] are going to find the money if it means having their data or back or not. You can't teach these kids if you lose funding, and if you can't process taxes or issue driver's licenses, or whatever, you're going to find the money."

And the goal of ransomware, of course, is to get paid and hopefully get rich. "The common threat is how much money can we make in the shortest amount of time" and maximize profits, he says.

Security firm Emsisoft calls this wave of ransomware attacks a "crisis" situation. The security firm posted its own data over the weekend, noting that some 948 government agencies, educational institutions, and healthcare organizations in the US have suffered ransomware attacks this year, resulting in some $7.5 billion in costs. In the education sector, it counted 86 universities, colleges, and school districts affected, or some 1,224 schools. Healthcare was No. 1 victim in Emsisoft's list, with 759 victims, followed by federal, state, and municipal governments with 103 victim agencies.

Interestingly, Armor's report shows that some school districts now carry cyber insurance policies to help ease the financial burdens of a ransomware attack.

While cyber insurance can provide a cushion for victims, the downside is that it also encourages the attackers who get emboldened by ransom payments, Hinkley notes. "And now they have more funds to go and attack another target," he says.

Emsisoft in a recent blog posts argues for governments to curb ransom payments. "While a blanket ban may not be practical, government should certainly consider legislating to prevent public agencies paying ransoms when other recovery options are available to them. While this may increase costs initially, it would be less expensive in the longer term," the company, which is based in New Zealand, said in its post. "It seems bizarrely inconsistent that the U.S. government has a no-concessions policy in relation to human ransoms but places no restrictions whatsoever on data ransoms."

John Carlin, chair of Morrison and Foerster's Global Risk and Crisis Management Group, notes that no-pay policies should become standard practice. "It is a difficult decision, but continuing to pay causes the criminal market to surge and will just lead to more attacks," he says. "If that becomes the policy though, we should support state and localities with additional federal funding and assistance to ensure the best protection against ransomware: resilient systems."

He says insurers also could provide incentives for "resilience" to ransomware attacks.

Microsoft, meanwhile, also discourages paying ransom. "The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored," said Ola Peters, senior cybersecurity consultant with the Microsoft Detection and Response Team, in a new post about ransomware payments.

Schooled by Ransomware
Parkersburg, West Virginia-based Wood County Schools has no plans to pay ransom for an attack that hit the district on November 7, even though it has a cyber insurance policy that could cover some of the costs. Teachers and administrators couldn't access files, voice-over-IP phones were down, and the school's automated door system failed to open and close properly.

In Texas, Port Neches-Groves Independent School District decided to pay up an undisclosed ransom to get its files back after a November 12 attack. The school also has cyber insurance. Claremont, California's school district lost its email and Internet services during a November 21 attack that required all computers to be remediated in the system, and left the district without Internet services as of early December.

Ransomware attackers encrypted a server containing sensitive employee information at Maine's School Administrative District #6 in Buxton, and it was unclear if the attackers actually pilfered the information as well Social Security numbers, birth dates, mailing addresses, banking information, and income information.

Other recently hit school districts include Livingston New Jersey School District; Sycamore School District 427 in DeKalb, Illinois; Lincoln County in Brookhaven, Mississippi; San Bernardino City Unified School District in San Bernardino, California; and Las Cruces Public Schools in Las Cruces, New Mexico.

School or municipality size doesn't matter to the attackers, who sometimes are piggybacking off of cloud application or service providers they've infiltrated, experts note. "We've seen very big and small cities attacked," Hinkley notes.

The usual best practices for thwarting ransomware include the requisite offline data backups, whitelisting, behavior monitoring, endpoint protection, and security awareness training and establishing an internal culture of security, according to Armor.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an ar...
PUBLISHED: 2021-01-19
SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c via a crafted .BMP file.
PUBLISHED: 2021-01-19
SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c via a crafted .BMP file.
PUBLISHED: 2021-01-19
Clustered Data ONTAP versions prior to 9.3P20 and 9.5 are susceptible to a vulnerability which could allow an authenticated but unauthorized attacker to overwrite arbitrary data when VMware vStorage support is enabled.
PUBLISHED: 2021-01-19
A flaw was found in jackson-databind before FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.