world tour:
Join us for a live look at how Menlo’s Secure Enterprise Browser puts you ahead of attackers
Icon Rounded Closed - BRIX Templates

Putting an end to ransomware attacks targeting K-12 school districts

Andrea Welch
January 8, 2023
linkedin logotwitter/x logofacebook logoSocial share icon via eMail

It’s no secret that ransomware is the attack du jour with more than 1,200 incidents generating nearly $900 million in payments from U.S.-based organizations last year alone. More than an extortion scheme, these attacks resulted in the disruption of operations and exposed proprietary data that could be exploited or sold on the dark web.

No one, it seems, is safe — especially school districts. According to Sophos, 56% of school districts worldwide suffered a ransomware attack in 2021. These attacks shut down school networks, canceled classes and put the personally-identifiable information (PII) of students, their parents, teachers, and other employees at risk.

But why school districts? Why are they a tempting target? And why now? Let’s explore.

Why school districts are being targeted

Over the past two years, the average ransomware payment has skyrocketed from $12,000 to $322,000 as targets have shifted from individuals to large organizations with deep pockets, according to the 2022 CyberEdge Cyberthreat Defense Report. Faced with disruption to classes and the perceived rising cost of IT security, many school districts are paying the ransoms — creating a self-perpetuating cycle.

Unfortunately, the attack doesn’t always end after the ransom is paid. In addition to demanding a ransom to return the encrypted data safely, ransomware gangs often threaten to leak the data unless the victim pays even more money in what’s called a double extortion attack. Attackers know that school districts have data for students, teachers, administrators, employees and even parents who are required to give up personal information during enrollment and for employment purposes, and they know there’s a good chance they’ll pay up to stop it from leaking. This data is spread across distributed networks over multiple campuses and is increasingly accessed by a growing number of endpoints.

The combination of rising payoffs, the potential for double dipping and an expanding threat surface is driving the increase in ransomware attacks on K-12 school districts. Considering that school districts have tight security budgets and aren’t as well defended as global companies, it’s no surprise they are increasingly being perceived as high-value, low-hanging fruit for cybercriminals looking for a quick payday.

Expanding threat surfaces put school districts at risk

The attack surface for K-12 school districts has grown considerably over the past several years. When students were forced to log in to learning platforms from home during the pandemic, each personally managed desktop, laptop, tablet and phone became a vulnerable access point into the network. Students may be back in the classroom today, but school districts have kept the infrastructure in place to retain remote learning capabilities in the future, and vulnerabilities remain as well. Even without remote learning, K-12 education is growing increasingly dependent on the Internet. Students access online articles, journals, applications and more in their daily lesson plans. This means that every classroom has numerous browsers and connections to the Internet being used, with each open tab serving as an opportunity for a threat actor to exploit.

At the same time, many school districts operate on small and very tight budgets which limit their spending capability for IT and cybersecurity investment. Limited security resources and in many cases relying on legacy technology solutions make it extremely difficult to harden the expanding perimeter.


Traditional security tools do not protect school districts

Today’s ransomware attacks are sophisticated and evasive, leveraging seemingly innocuous technologies such as Javascript and VPNs to gain initial access and spread laterally throughout the network. Threat actors are targeting web browsers – the lifeblood of remote productivity – with a new category of threats dubbed Highly Evasive Adaptive Threats (HEAT). These HEAT attacks bypass traditional security defenses to deliver ransomware payloads and take advantage of today’s expanded attack surfaces. They turn browser windows into threat vectors and easily bypass current security technology.

Should school districts pay the ransom to recover their data?

This is a decision that should be made through a planning process well in advance of an actual attack so it can be made without the incurred stress and time constraints of an attack. The official recommendation from the FBI is to not make any payouts, however tempting, and work to recover control over compromised systems. Acquiescing to ransomware demands just encourages more attacks. If a ransomware gang knows that a district always pays the ransom, they will continue to attack, attack, and attack some more.

The cost of recovering lost systems

Even if school districts do not pay the ransom, recovering lost systems remains disruptive and extremely costly. Backups are unreliable and only recover to a point in time when the last one was made–whether it was minutes or weeks ago. In addition, backup and recovery don’t protect against data that has been exfiltrated.

How school districts can protect themselves

It’s not all doom and gloom. It’s true that the way threat actors infiltrate networks is changing, but this just means that you need to evolve your thinking about how you secure your networks.

The most important lesson is that responding to ransomware attacks after the fact is too late. Instead, school districts should embrace a preventative approach — leveraging prevention-based technology solutions to stop ransomware before systems are compromised. Advanced security capabilities such as Internet isolation technology and multi-factor authentication can protect users’ credentials from falling into the wrong hands, even if they’re exposed to malicious content. Above all, it’s important to implement a layered approach to cybersecurity that combines prevention and detection, so you can prevent that initial access and monitor for any suspicious behavior inside the network.

Blog Category