As students head back to the classroom, the spate of ransomware attacks against schools is continuing. The latest is a strike against a California school district that closed down remote learning for 6,000 elementary school students, according to city officials.
The cyberattack, against the Newhall School District in Valencia, affected all distance learning across 10 different grade schools, Newhall Superintendent Jeff Pelzel told the Los Angeles Times. He said the cybercriminals struck overnight Sunday into Monday morning, and that he noticed something awry after getting consistent error messages when trying to access Outlook and email. Shortly after, it became apparent that the district had been victimized by malware.
Interestingly, there has been no extortion demand yet, Pelzel told the outlet. But meanwhile, Newhall’s servers have been shut down while a forensic investigation plays out, and the kids are back to using pencil and paper to work on take-home assignments.
The news comes as officials issue warnings on increased ransomware attacks in the education sector, largely tied to remote learning and the increased use of technology for instruction – which widens the attack surface. The U.K.’s National Cyber Security Centre (NCSC) for instance flagged an uptick of attacks against grammar schools, colleges and universities in that country, warning that vulnerable remote desktop protocol (RDP), unpatched software and hardware being used by remote learners, and successful phishing emails are all common attack vectors.
Here in the U.S., ransomware has unfortunately become part of the curriculum for some institutions. Over the summer, as they were preparing to welcome students back, four different universities fell victim to the NetWalker ransomware gang, according to tallies from Avira: The University of Utah (which paid almost half a million dollars); Columbia College in Chicago (ransom status unknown); Michigan State University (no ransom paid); and the University of California San Francisco (which paid $1.14 million).
Ransomware operators are targeting colleges and universities because of the sheer value of the information they hold, according to Avira.
“Universities have vast databases on thousands of students and faculty, which can include items of great interest to cybercriminals,” according to a Thursday blog. “This includes personal information like names, birth dates, telephone numbers and email addresses, as well as financial records. But some of the data stored in university databases can be of even more value. Cutting-edge research takes place at universities, and the theft, manipulation or destruction of this data can be enough motivation for hackers.”
Meanwhile, on the K-12 front, the attack on Newhall is hardly unique: Last week, attacks in Hartford, Conn., Fairfax County Va. and Clark County, Nev. (home of Las Vegas) forced public schools to postpone the first day of school. In August, a cyberattack on the Rialto Unified School District in San Bernardino County forced online class suspension. And earlier in July on the Athens school district in Texas led to schools being delayed by a week (and the district paying attackers a $50,000 ransom in exchange for a decryption key).
Fairfax County Public Schools confirmed to ABC7 that the school system is working with the FBI after a ransomware attack.
FCPS is the nation’s 10th largest school system.
— ABC 7 News – WJLA (@ABC7News) September 12, 2020
Security firm Check Point said in a report this week that the U.S. is responsible for the highest increase in education-related attacks globally, including ransomware, DDoS and other campaigns. Between July and August 2020, the average number of weekly attacks per education organization in the U.S. increased by 30 percent, from 468 cyberattacks to 608, when compared to the previous two months. For comparison, cyberattacks against all other sectors increased by only 6.5 percent.
The trend will likely continue as long as distance learning remains the new normal, the firm warned.
“The coronavirus pandemic has been a forcing function for not only remote work, but remote learning,” said Omer Dembinsky, manager of data intelligence at Check Point, via email. “These numbers are staggering, and an ominous trend is clear: Hackers are eyeing students returning to virtual classes as easy targets. These attacks can include malicious phishing emails, “Zoombombs” and even ransomware…I strongly urge students, parents and institutions to be extra careful these next few months, as I believe the attack numbers and methods will only get worse. As remote learning stays, hackers also stay.”