Rob Cataldo, Managing Director, North America, Kaspersky
As the school year powers on through Omicron this winter, school administrators across the country are also frequently finding themselves battling infections of a different sort. The plague of ransomware attacks on K-12 school districts emerged over the past couple of years and, in spite of some promising recent wins on the law enforcement front, do not appear to be going away any time soon, even as Zoom-powered classrooms have mostly been left behind. One recent attack hit a software vendor used by schools for their websites, affecting around 5,000 of them. Another left about a quarter of all school-aged kids in the state of Arizona with a “cybersecurity snow day.” The public costs of these kinds of incidents can be monumental. But on a personal level, the damage is more difficult to get a handle on.
While ransomware attacks once revolved around the encryption of crucial data, modern attack methods focus also on its theft, and stolen student data may not be getting the attention it deserves. Fear and outrage over school attacks often rightfully focuses on the cruelty of going after such a vulnerable and important target, particularly with cash-strapped school districts and taxpayers footing the bill for ransom payments which have sometimes numbered in the millions of dollars. Somewhat fortunately, however, is that our latest survey research finds that most of the ransoms are not that big, most often totaling around $100,000 or less. Much less fortunately, the criminals are also making off with something potentially more valuable and personally damaging.
In a survey of parents this school year, nearly 1 in 10 said their child’s school has been hit by a ransomware attack. Among those victims, 61% percent said their child had personal data stolen as a result, while another 14% didn’t know whether it was or not.
They may find out at some point down the road. In many cases, ransomware attackers have publicly leaked sensitive student data as punishment to the victims when they didn’t pay a ransom, or simply sold it on the dark web. Compromised data often becomes available for sale on underground markets, where a “full pack,” including a person’s driver’s license number, social security number, date of birth, email and phone number can be bought by a low-level criminal for no more than $10 per person. Even if students are too young to have bank accounts or credit cards of their own, those can be fraudulently opened up in their names.
Stolen identities have become so readily available that you don’t need to be a sophisicated hacker to find them. Wholesalers sell and resell personal information on underground sites that function as search engines for relatively unskilled identity thieves.
In addition to credit fraud, subsequent theft of photos, videos or even medical and other personal info, can also be used in doxing attacks, designed to embarrass the victim with an intentional exposure of private details. It’s been noted that schools can store a wide range of highly sensitive student data, relating to learning disabilities, financial need, immigration status and other family background.
Still, it’s easy to see how longer-term privacy and fraud risks like these can get overshadowed by more immediate concerns. Those so-called “ransomware snow days” actually last an average of 2.3 days, according to the survey of parents, while administers work to get critical systems back online. Even without paying a large ransom, it’s a huge and sometimes costly inconvenience for the school, while many parents will tell you about the ripple-out disruptions this can cause to their own work schedules.
Schools are also still being hit with other kinds of cyber attacks. An earlier survey last spring found that a whopping 55 percent of parents said they’d experienced cyberattacks on their kids’ schools – not limited to ransomware. The amount of compromised student data from all those attacks is unknown.
A number of efforts to combat the problem are underway. The DOJ launched a ransomware task force last year, and the infrastructure bill passed in November included $2 billion for cybersecurity, including a cyber grant program for local governments. In December, the K-12 Cybersecurity Act was signed into law, directing the Cybersecurity and Infrastructure Security Agency (CISA) to develop official guidelines and training materials.
Schools have been taking steps on their own to install stronger defenses, but federal standards and resources will go a very long way toward improving the situation, as will continued law enforcement efforts by the FBI and its global counterparts.
As always, if a school is hit with any kind of cyberattack, we urge administrators to contact the FBI, and never to pay any ransoms. You can check NoMoreRansom.org for help with remediation and guidance for avoiding further incidents in the future. Some basic steps for administrators include always promptly making software updates, backing up data regularly, and instituting security training for staff. They should emphasize looking out for phishing emails, which is the simple way ransomware most often gets in. With smarter defenses and growing awareness of the issue, we can keep the threat at bay while we hope for safer and healthier days ahead.