Cybersecurity experts say the uptick in ransomware attacks against school districts could be an indirect result of the pandemic: When COVID-19 began spreading widely in the United States, districts shut down school buildings and moved classes online. That move allowed schools to keep students engaged at a time when public health experts said it was unsafe to gather in large groups, but it also gave criminals more avenues to access districts’ networks.
“That’s a very good example of how COVID actually changed the landscape, making the school district become a permanent target for their attacks,” said Jingguo Wang, a professor of information systems at the University of Texas at Arlington’s College of Business.
Wang said preventing ransomware attacks is a large and growing challenge for school districts. Since the pandemic, districts have grown more reliant on their IT infrastructures for nearly everything they do, he said. Students have tablet computers that they use to do their homework online. Teachers no longer give paper handouts. Instead, they send assignments through Google Classroom or some other online platform. Districts often use online tools for teacher training, as well, he said.
But in most districts, security hasn’t kept up with the growing reliance on online tools, Wang said. Unlike better-resourced organizations like banks and for-profit companies, school districts generally can’t afford round-the-clock monitoring of their networks, he said, so criminals may see them as easy targets for an attack.
NORTH TEXAS SCHOOLS CONTEND WITH CYBER CRIME
School districts in the Fort Worth area haven’t escaped the threat of cyber crime. In March 2020, Fort Worth ISD fell victim to a ransomware attack. At the time, district officials said IT staff spotted the breach and isolated it quickly enough that the personal information of students and teachers wasn’t compromised. Still, the attack left teachers without the ability to take attendance online or use online teaching tools.
Although the district didn’t pay ransom, the cost of the attack was high: Over the months that followed, the district spent nearly $100,000 on the recovery from the breach. The following September, the district’s school board voted unanimously to pay $242,000 to the Dallas-based cybersecurity firm MaeTech to help strengthen the district’s systems.
The district was also one of many businesses and other organizations nationwide that were affected by a December 2021 ransomware attack on Kronos, a timekeeping service the district uses to track employees’ working hours and manage payroll.
Fort Worth school officials declined an interview request for this story. In an emailed statement, district spokeswoman Claudia Garibay said cybersecurity is a top priority for the district.
“Unfortunately, ransomware attacks are a continuous moving target,” she said. “The district is diligent with its security measures to ensure sustainability and uptime for systems that serve our students.”
In August, officials in the Mansfield Independent School District announced that attackers had hit the district’s network, taking down systems that were connected to the Internet, including phones, email and the district’s website. Officials initially described the attack as a ransomware incident, but a statement on the district’s website states that “an unauthorized actor” accessed the district’s network, and may have viewed or stolen sensitive records. The statement makes no mention of a system takeover or a demand for ransom. On Tuesday, a district spokeswoman declined to comment on details of the incident beyond the information provided in the statement.
Other North Texas districts say they’re taking the threat of ransomware seriously. Anthony Tosie, a spokesman for the Northwest Independent School District, said district officials don’t discuss their cybersecurity strategy publicly. In an emailed statement, Tosie said the district’s technology staffers stay up to date on potential cybersecurity threats in order to keep the information of students and employees safe.
“Northwest ISD technology leaders closely watch the state of cybersecurity both in the education sector as well as the private sector to stay abreast of potential issues,” he said. “They communicate with peer groups regarding best practices for attacks against school districts and create plans to prevent or mitigate such actions.”
Bryce Nieman, a spokesman for the Keller Independent School District, said the district’s technology department deals with varying degrees of cybersecurity threats daily. Like other districts, Nieman said Keller ISD doesn’t disclose details about its cybersecurity strategy. But keeping digital resources safe is a top priority for the district’s technology department, he said, and the department works constantly to meet or exceed industry standards. That includes conducting periodic reviews of the district’s security posture and adopting any changes necessary to keep pace with current threats, he said.
HACKERS ARE OFTEN WILLING TO NEGOTIATE RANSOMS DOWN
Just as most school districts don’t have the money to pay for high-level cybersecurity, they also don’t often have enough to cover large ransoms. Kay-Yut Chen, a professor of information systems at the University of Texas at Arlington’s College of Business, said hackers generally know that, and are willing to negotiate down their ransom demands.
While hackers may initially demand ransom payments that are well out of the reach of most districts, their cost of doing business is fairly low, Chen said. That leaves them plenty of flexibility to find a price point that districts are able to pay, he said. Although school officials are generally reluctant to spend public money on ransom payments, they often find themselves caught between two unattractive options: paying to have their systems restored, or refusing to pay ransom and paying more to recover from the attack, he said.
Although negotiating a lower ransom payment can be a more appealing option, it, too, comes with its problems: By paying any amount to have their systems restored, districts create incentives for hackers to continue attacking educational institutions, Chen said.
Chen and Wang published a study last year looking at what leads businesses to decide to pay ransom or not. They found that normative appeals — social messages saying that businesses shouldn’t pay hackers — could help nudge business leaders to invest in cybersecurity and refuse ransom demands.
That’s important, Chen said, because if policymakers could persuade business leaders and other organizations not to pay ransom, then hackers would have no incentive to continue ransomware attacks.
“If nobody ever paid ransom, then ransomware would go away,” Chen said. “Now, it doesn’t mean that they won’t do other bad things, like steal your data and so on, but at least ransomware would go away.”
That strategy — directly contacting the people whose data the hackers have stolen — is called multi-extortion, said Ryan Olson, the vice president of threat intelligence for the security firm Palo Alto Networks. It isn’t a common tactic, Olson said, but it’s one that hacker groups sometimes try if their target is unwilling to pay. It puts more pressure on the institutions by adding chaos to the situation, he said: Not only do they have to deal with their networks being taken offline, they also have to field hundreds or even thousands of inquiries from worried students and parents.
The main thing that schools and other organizations can do to avoid falling victim to a ransomware attack is to make sure that all of their systems that are exposed to the Internet are as protected as possible, Olson said. That means installing patches to cover any vulnerabilities as soon as they emerge, he said. When those vulnerabilities emerge and are publicized, hackers can scan the entire Internet and quickly gain a foothold in as many systems as they want, he said.
“They will be exploited by all types of threat actors, but definitely ransomware actors, within minutes or hours,” he said. “And if you are not on top of patching those, you are low-hanging fruit.”
Besides defending their systems, Olson said districts should also plan for how to handle a scenario where the networks are taken over. In that situation, there will be dozens of questions that district officials need to figure out the answers to, including whether they’ll pay ransom, and if so, how they would do it. Running a tabletop exercise that includes district IT staff, executives and legal advisers can help the district figure out the answers to those questions in advance, he said.
When a school district or other organization is attacked, they’re generally better off seeking help from a security firm to handle the negotiation, Olson said. His firm has handled thousands of ransomware cases, he said, and its negotiators know the right questions to ask. They also know how to spot when attackers are exaggerating about the importance of what they’ve stolen — “sometimes, they’ll lie. They’re not good guys,” he said.
After the fact, it’s important that districts close any vulnerabilities that let the attackers into the networks in the first place, he said. Often, that also means contracting with an outside firm with more expertise than the district’s IT department has, he said. It’s important that they do it thoroughly and quickly, he said, or they could find themselves in the same position a year or even a month later.
“There’s no reason that another ransomware actor couldn’t just walk in the same door,” he said. “So you’ve got to close those holes that allowed them to get into the network.”
©2023 Fort Worth Star-Telegram. Distributed by Tribune Content Agency, LLC.
