Ransomware targeting schools

If you told me 20-plus years ago that technology would make snow days a thing of the past, I would have laughed. Even 5 years ago, I probably would have told you to get out of here.

What a difference a year makes. After the past year-plus of global pandemic, however, I’d be more likely to smile and say some version of “Hell yeah!”

Parents and the general public — including loads of people who can and do work remotely — never really considered the possibility of remote school for kids. Well, no one told that to our microbial friend COVID-19.

In 2020, the COVID pandemic rocked the world, and companies weren’t alone in struggling to figure out ways to get work done remotely. School boards across the world were looking for ways to get kids learning online as quickly as possible. Moving education online for kids in kindergarten through high school was fraught with headaches, mistakes, bugs, and “Can you all mute your mics please?”

As the school year comes to a close, though, we can heave a sigh of relief; the summer of 2021 will return us to some semblance of normalcy, right?

The short answer is no.

The move to e-learning has shifted us away from snow days as a norm, or at least a normal possibility, but it has also opened a can of worms, technologically speaking. Now, cybercriminals are targeting municipalities and school systems. Much like the news of businesses under attack in 2020–21, schools are also facing ransomware attacks.

You might be wondering why a school would be a target.

The reason is quite simple: money. Criminals know that schools are not only necessary to communities, but they’re also easy marks that are likely to pay ransom.

Surveying the parents

We asked parents of K–12 students across the US how they felt their school system was prepared for ransomware and what they would do if their school was hit. (Click here for the full report).

Despite the advice of security experts not to pay ransomware demands, 72% of parents said they’d want their kids’ school to pay the ransom. Sure, there are reasons to pay — after all, I am a parent, not a judge, and I know the pain of having kids at home while working — but we’ve found that a mere 29% of victims, regardless of whether they paid the ransom, were able to unlock their data.

Perhaps most surprising to me was that 55% of the parents we surveyed noted their children’s school system had faced a cyberattack — 22% in the past 2 years. Of that group, only 34% were notified of the attack immediately by their school; 57% heard it first from a different source such as Facebook or the news.

Why not just pay? Well, the situation is complex. For starters, schools’ data is very attractive to cybercriminals. It can contain everything from emergency contacts to birthdays and home addresses, information that can enable identity scams or phishing messages, which in turn lead to more damage. Identity theft, for one example, can take years to unravel, and having a minor involved can significantly slow the process — kids under 18 don’t even tend to appear on credit monitoring sites.

Those data points probably play into parents’ notion that schools should simply pay ransom. In fact, a majority of our survey respondents thought schools should pay an average of approximately $476,000. A minority said they would pay any amount.

What can schools do about ransomware?

• Protect all devices. That means, protect every bit of technology involved with school education, and especially any laptops, desktops, smartphones, and tablets with access to the school network and the Internet.
• Install security solutions to protect e-mail. Protecting electronic communications is vital; educational organizations receive a lot of e-mail, including spam, which can contain not only harmless trash, but also dangerous attachments.

• Provide cybersecurity training. Educating both staff and students about the dangers of cybercrime is vital, as is training them on appropriate behavior and danger response. Lessons range from not plugging in random USB devices to using strong, unique passwords and detecting phishing e-mails.
• Some helpful educational articles include:
  • Smishing vs phishing — and how to stay safe
  • The ransomware saga
  • Should you use that USB key you found?
  • Adaptive cybersecurity training

Sure, students will be heading out soon for summer vacation (if they haven’t already). If your kids are anything like mine, their days will be focused on getting as far away from school as they can, but for school staff, it is time to get to work. The first day of school will be around before we know it.