Ransomware is going back to school in 2020 and it’s sporting a bit of a new look. Learning environments worldwide have gotten a makeover. Face coverings and temperature checks are de rigueur in classrooms. Kids learning online are outfitted with Chromebooks or tablets and headphones. Meanwhile, hackers are adapting and learning too. They’re ready for a new year with standard ransomware and it’s new BFF, ransomware 2.0, and they won’t be late for class.
First Day Woes
School administrators have enough to worry about with huge numbers of kids starting the year in virtual classrooms. Technology distribution and teacher training has been crammed into a tiny timeframe. School system IT departments are taking on substantially more work, under more public scrutiny than ever before. They have little financial or mental budget for security on top of the massive task of managing and maintaining new infrastructure.
Sadly, several large districts have already had their first day of school interrupted by hackers. Hartford, Connecticut, schools announced a first day delay due to ransomware on September 8. 200 of their 300 servers were compromised. School officials noted, in particular, that systems used to communicate bus transportation routes had been impacted.
On the other side of the country, Clark County (Las Vegas) schools were exposed to ransomware that compromised current and former teachers’ personal information, including Social Security numbers. This is a massive district serving 320,000 students and employing nearly 20,000 staff. Their investigation is ongoing.
The Athens School District in east Texas paid $50,000 for a decryption key in late July. Years of student data including grades and other records were compromised. The district called the payment “distasteful” but preferred making payment to delaying the start of school by weeks or even months. Athens’ superintendent said that their IT department “could not have done more” to prevent the attack. She noted that all of their servers and multiple backups were encrypted in the event.
Cyber Attacks: The New “Snow Day”
With so many kids learning from the physical safety of home, the “snow day” call may be on a temporary hiatus. But expect its replacement—the “cyber attack day”—to muck up learning plans across the country.
Public K – 12 education facilities in the U.S. experienced 348 cybersecurity incidents in 2019. With the surge in technology used for remote learning in 2020, schools are more vulnerable than ever before. Most security experts believe that the early success of ransomware attacks this school year means many more are coming.
The software and applications that schools use for remote learning are also at risk for compromise. Zoom presents a lovely big target for hackers. And other critical, daily use apps like Schoology, Classlink, and Edgenuity are pretty appealing as well. In many systems, a lack of access to one of these platforms due to DDoS or other attacks mean school is O-U-T.
Ransomware 2.0 = Ransomware The New Class?
More and more hackers are lining their pockets with a more sophisticated version of ransomware that more consistently guarantees a financial return. Fortunately, not many schools have been pinched by ransomware 2.0. But their valuable PII makes them a rich potential target.
So what’s the difference between original ransoms and the new class?
“Regular” ransomware encrypts data and demands money to release it back to you. If you don’t engage, then you rarely hear from the attacker again. Unless you have a recent backup, your data is gone. The loss is painful, but your troubles end with a big recovery project.
Ransomware 2.0 is more determined to get a return for its efforts. As with original ransomware, the hackers take your data, encrypt it, and demand a ransom to decrypt it. The new “feature” is that they also demand a second payment to not post the data in a public forum. The doubling down of threat makes it even harder to walk away from a ransom, at enormous cost to organizations that can rarely afford to pay it.
Security Awareness Training for Kids?
School systems need to invest time in having “the talk” with kids if they’re learning virtually (or even if they’re just using a device occasionally in the classroom). And parents and teachers need to be ready to reinforce the lesson.
Children as young as Kindergarten have their own Google accounts issued by their school system. Their precious PII is stored along with their grades, disciplinary records, and medical histories on school servers. Whether they access these systems or not, their information is online and at risk to some degree.
Training up cyber-aware kids means learning about suspicious messages and links from an early age. “Bad people” on the internet aren’t just the boogeymen that threaten emotional or physical harm. “Bad people” might “just” want your Social Security number or your mom’s credit card info. They rarely approach you directly, but play tricks with your messaging and learning apps. It’s a hard concept to convey and yet another challenge school systems must face in a deeply challenging environment.
Silver Linings for 2020?
While 2020 continues to be “the worst” in so many ways, maybe all these hiccups with the start of school come with a silver lining. It’s never been more obvious—painfully, painfully obvious—that schools need bigger technology budgets, more IT and cybersecurity staff, and better training.
It’s inevitable that our current crash course in virtual school will lead to instructional modality shifts even after it’s safe to be in a classroom side-by-side. The need for better protections against hackers will continue to grow, and, hopefully, school budget makers will not ignore it.