IT Infrastructure & Management

Ransomware Attacks Force School Districts to Shore Up—or Pay Up

By Leo Doran — January 10, 2017 6 min read
BRIC ARCHIVE
  • Save to favorites
  • Print

A big problem was waiting for Matt Jensen, the superintendent of the Bigfork public schools, as he arrived to work on a Monday in November.

His 900-student Montana district was under a cyberattack. A self-replicating computer virus had eaten its way through most of the schools’ servers—including the student-information system—and encrypted huge amounts of data, making it inaccessible to Bigfork employees.

The perpetrators of the breach had also left a disconcerting message for Jensen’s IT director: They were demanding a ransom in exchange for a decryption key that would immediately unlock the data. The alternative to paying up would be to rebuild the district’s data systems from backups or, in a worst-case scenario, from scratch.

Experts have seen a spike in “ransomware” attacks across all sectors of the economy in recent years. Criminals have hit all types of organizations, public and private, including K-12 districts. Multiple strains of the computer virus exist, but most versions of such malware behave much like the type that infected the Bigfork network.

“Ransomware does not discriminate,” said Will Bales, a supervisory special agent in the FBI’s cyber division. “Whether it’s a big school district or a small school district, they have the same possibility of being hit.”

Once the virus has infected a network and scrambled every Word document, spreadsheet, and data file it finds, the people behind the attack will ask for a ransom in bitcoin, an untraceable virtual currency, in return for the decryption key.

But Jensen said he never even considered paying the cybercriminals: “We weren’t going to negotiate with them.”

Even if his district paid the ransom, he said, there would be no iron-clad assurances that the hackers would actually return access to the data. Paying, said Jensen, “would only empower a criminal group.”

‘A Business Decision’

Other ransomware victims haven’t had the luxury of taking Jensen’s hard-line approach. In many cases, the criminals’ ransom request is far smaller than the dollar value of the damage the malware has inflicted.

Some districts have been forced to weigh the ethics of paying a few thousand dollars to untrustworthy and anonymous criminals against surviving for weeks without access to lesson plans, learning software, or student records.

“Paying the ransom was not a philosophical decision, but a business decision,” said Charles Hucks, the executive technology director for South Carolina’s Horry County schools. “What’s it worth per day to not have access for our 43,200 students?”

After his district was critically hit by a ransomware attack last school year, Hucks immediately shut his servers down to stop the spread of the virus. He then urged his bosses, who oversee a half-billion-dollar yearly operating budget, to pay the nearly $10,000 ransom.

Defensive Measures

School districts can take a number of steps to avoid ransomware attacks on their computer systems, including:

• Back up everything, and make sure safeguards are in place so malware cannot easily jump to infect backup systems.

• Make sure network users scrutinize incoming email and report rather than open strange attachments from unsolicited addresses.

• Download software only from secure and trusted sources. Never pirate software from illegal or questionable peer-to-peer websites.

• Have strong access controls. Student accounts shouldn’t have administrative privileges. Internal restrictions on access can prevent a bug from spreading.

• Make sure system updates, including for anti-virus software, are installed regularly.

• Change passwords regularly, and train staff members in best cyberpractices.

• Test your own defenses. Hire a vendor to try to hack the system to find vulnerabilities and address them.

• Have an incident-response plan ready in case something goes wrong.

SOURCES: FBI and BitSight Technologies

Even with the risk that the hackers would take the money and run—Hucks said officials “were horrified” the culprits wouldn’t follow through with a decryption key—the cost and time associated with laboriously rebuilding district networks from compromised backups outweighed all other considerations.

Law-enforcement agencies like the FBI generally discourage hacked organizations from paying ransoms. Special agent Bales agrees with Jensen that doing so only emboldens criminal enterprises.

But in practice, some experts and law-enforcement officials have conceded that acquiescing to the demands can, at times, be in an organization’s best financial interests.

Regardless of whether an organization decides to pay the ransom, Bales and the FBI want to hear from all ransomware victims to gather evidence. Cybercrimes can be reported to the FBI’s local field offices or its website, www.ic3.gov.

In some cases, the FBI or private industry has already found a “key” or antidote to a ransomware strain, and by reporting the attack, organizations have been able to easily recover their files.

But what if a school district, like Horry schools, can’t find a decryption key, and decides to pay the ransom?

“The criminals have an incentive to unlock the data” once they are paid, said Stephen Boyer, a co-founder of BitSight Technologies, a Cambridge, Mass.-based cybersecurity company. The criminals need a track record of victims’ getting their data back, he explained, or new targets will stop paying.

Preventing Future Attacks

That’s not to say that Boyer typically advises his clients to pay the ransom: “That’s a tough question that can only be taken on a case-by-case basis.”

Boyer also cited cases in which a ransom is paid and files are decrypted, but the malware remains in the system, allowing the hackers to come back weeks or months later.

The best defense, Boyer said, is to have strong backups in place, and have outside professionals reset the system and do a full incident report if a district network is compromised.

That was the course of action Jensen used in Montana’s Bigfork district. Bigfork’s network was backed up twice: one set of servers on-site that was compromised in the attack, and another housed by an outside vendor that was spared. It took Jensen’s technology team a week to restore all its systems and ensure the computer systems were clean.

In South Carolina, the hackers of the Horry County district came through with a working decryption key soon after the ransom was paid. Hucks was able to get the “mission critical” functions of his servers—like the district’s student-information system—back up in days.

The ultimate damage to the school system was a two- to three-week disruption and $30,000 from its budget. In addition to the ransom, the district hired cybersecurity consultants to ensure the malware had been expunged and the criminals could not come back through the same weaknesses in the network.

The Horry County attack was widely publicized in the weeks following its resolution, and Hucks was invited to testify before Congress about the ransomware threat.

For both school districts, as is common in such cases, the crimes were reported but the perpetrators went undiscovered. Like other cybercrimes, ransomware attacks can be difficult to trace. They often originate overseas, sometimes in countries that do not have extradition treaties with the United States.

That’s why more districts should be focusing on preventive measures, said Boyer, the cybersecurity expert.

His firm compiled a report that sampled the IT infrastructure of thousands of organizations in the education, government, health-care, energy, retail, and finance sectors to gauge their exposure to ransomware. It found that educational institutions and companies had the highest rate of ransomware infection.

Opportunistic Hackers

Small technology budgets, less emphasis on cybersecurity, and bring-your-own-device policies in schools make it harder to establish uniform firewalls and contribute to the challenges of protecting ed-tech infrastructure, Boyer said.

Bales, of the FBI, agreed that districts have a lot of ground to cover: “Faculty, students, every single person who is connected to a school network is a potential liability.”

Although some of the attacks are targeted, and higher education is more at risk than K-12 systems—universities tend to have larger networks and more financial wherewithal to pay ransom demands—Boyer’s team has found the attacks are usually “more opportunistic than targeted.”

That means that rather than singling out victims, hackers might blast out thousands of emails with compromised links or attachments to thousands of organizations. That process, called “phishing,” allows hackers to prey on groups with the weakest controls and requires only a small proportion of the emails’ recipients to fall for the trap.

For hackers, “even a one percent rate can be very lucrative,” said Boyer.

The relatively small individual ransom payments add up quickly, he explained, and in addition to making it more likely that a targeted group will pay, small sums tend to draw less attention and resources from law enforcement.

The good news for harried school district technology systems chiefs? Reducing risk exposure to ransomware attacks is relatively straightforward. (See box, this page.)

“It’s not cutting-edge,” Boyer said of the standard preventive measures. “If you are doing the basic blocking and tackling of network security, your risk goes way down.”

A version of this article appeared in the January 11, 2017 edition of Education Week as Ransomware Attacks Force School Districts To Shore Up — or Pay Up

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Achievement Webinar
Scaling Tutoring through Federal Work Study Partnerships
Want to scale tutoring without overwhelming teachers? Join us for a webinar on using Federal Work-Study (FWS) to connect college students with school-age children.
Content provided by Saga Education
School & District Management Webinar Crafting Outcomes-Based Contracts That Work for Everyone
Discover the power of outcomes-based contracts and how they can drive student achievement.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School & District Management Webinar
Harnessing AI to Address Chronic Absenteeism in Schools
Learn how AI can help your district improve student attendance and boost academic outcomes.
Content provided by Panorama Education

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

IT Infrastructure & Management Cybersecurity Demands Are Growing. Funding Isn't Keeping Pace
State education leaders worry funding for cybersecurity isn’t enough to cope with the worsening problem of attacks on schools.
2 min read
Dollar Sign Made of Circuit Board on Motherboard and CPU.
iStock/Getty
IT Infrastructure & Management Sizing Up the Risks of Schools' Reliance on the 'Internet of Things'
Technology is now critical to both the learning and business operations of schools.
1 min read
Vector image of an open laptop with octopus tentacles reaching out of the monitor around a triangle icon with an exclamation point in the middle of it.
DigitalVision Vectors
IT Infrastructure & Management How Schools Can Survive a Global Tech Meltdown
The CrowdStrike incident this summer is a cautionary tale for schools.
8 min read
Image of students taking a test.
smolaw11/iStock/Getty
IT Infrastructure & Management What Districts Can Do With All Those Old Chromebooks
The Chromebooks and tablets districts bought en masse early in the pandemic are approaching the end of their useful lives.
3 min read
Art and technology teacher Jenny O'Sullivan, right, shows students a video they made, April 15, 2024, at A.D. Henderson School in Boca Raton, Fla. While many teachers nationally complain their districts dictate textbooks and course work, the South Florida school's administrators allow their staff high levels of classroom creativity...and it works.
Art and technology teacher Jenny O'Sullivan, right, shows students a video they made on April 15, 2024, at A.D. Henderson School in Boca Raton, Fla. After districts equipped every student with a device early in the pandemic, they now face the challenge of recycling or disposing of the technology responsibly.
Wilfredo Lee/AP