With Distance Learning as the New Norm Due to Coronavirus, What Happens Now if Schools Get Hit by Ransomware?

Armor, a global cybersecurity software provider, has identified 17 new U.S. school districts and colleges comprised of 284 schools that have been hit by ransomware between Jan. 1–April 8, 2020. (see Appendix A for the list of school districts and colleges). Whereas, there were only eight school districts and colleges compromised by ransomware during the same time period in 2019.

For a longer time period, from Jan. 1, 2019 to April 8, 2020, Armor has identified 94 school districts and colleges that have publicly reported being a victim of ransomware. These attacks have potentially impacted 1,150 US schools nationwide.

Of the 17 schools hit in this year’s attacks,15 have not disclosed whether or not they agreed to pay the ransom, and two have reported that they refused to pay—the Fort Worth Independent School District in Fort Worth, Texas, and the Crystal Lake Community High School District in Crystal Lake, Illinois. Only four of the schools reported the type of ransomware that was used to attack them. The malware used included Sodin, Ryuk and Maze.

Schools are not the only organizations being targeted by ransomware threat actors in 2020. There were 54 organizations that publicly reported attacks from the first of the year through April 8, 2020. School districts and colleges currently lead the victim list with 17, followed by municipalities with 15, healthcare organizations at six, and Managed Service Providers (MSPs) and/or Cloud-Based Service Providers with three.

Multiple Schools Lose Complete Access to Computer Networks, Communication Systems and Student Files

Of the 17 school districts and colleges compromised by ransomware in 2020, several districts lost total access to their computer networks, files and communication systems.

Gadsden Independent School District (New Mexico)—Gadsden was hit by ransomware twice in one year. The attacks caused a complete shutdown of the district’s internet and communication systems.

One of the saddest ransomware incidents in 2020 was the attack on the Gadsden Independent School District (ISD). According to school officials, on Monday, Feb. 24, for the second time in a year, the school district was compromised by ransomware. Because of the attack, the district had to shut down its entire internet and communication systems. This included phone service across all of its 24 school sites, as well as supporting locations. School officials estimated that it would take four to five days to restore their internet and phone communications, as employees worked to clean computers.

The Gadsden ISD was also attacked by the Ryuk ransomware in July 2019. The second ransomware attack occurred even after the district replaced servers and constructed a whole new email system.

Havre Public Schools (Montana)—All of the school district’s computer systems were taken down. The teachers and administration were forced to use personal cell phones and personal email, and they had to connect their laptops to the internet via mobile hotspots.

In January, the Havre Public Schools in Missoula, Montana, were hit by the Ryuk ransomware. As a result, the entire school district’s computer systems were taken down. According to news reports, the school’s computer staff instructed school officials to disconnect “everything with a blue cord”—including every computer, telephone and printer in every district building.

The schools did remain open. However, during the incident district staff and administration were forced to use their personal cell phones and personal emails and connect their laptops to the internet via their mobile hotspot. Their systems were down for approximately four days, according to news reports.

Nacogdoches Independent School District (Texas)—The school district opted to shut down its entire computer network to limit the damage. Ransomware locked files on district PCs. School officials predicted some teachers and other department members would have to resort to using pencil and paper to keep records.

The Nacogdoches Independent School District in Nacogdoches, Texas, was compromised by a ransomware attack on Feb. 11. School officials shut down the district’s entire computer network to limit the damage. According to school officials, the ransomware locked files on PCs so users could not access them. School administrators did allow staff to use Chromebooks and iPads. One school official stated, “If it’s a PC, it is shut down right now. Probably our teachers and some of our other departments are having to use pencil and paper right now to keep a record of what’s taken place.”

Fort Worth Independent School District (Texas)—The ransomware attack caused the Fort Worth ISD to lose some materials, in addition to affecting the district’s website and causing several computers to stop working. Fort Worth ISD officials sent the teachers curriculum synopses on how to proceed without technology and said staff would have to “go back to the good old days and teach without the computer.”

In early March, the Fort Worth, Texas, Independent School District became a victim of ransomware. According to Fort Worth ISD spokesperson Clint Bond, he first noticed his computer wasn’t working on March 3. The attack also affected the district’s website, and they lost access to some materials. According to Bond, school officials sent its teachers curriculum synopses and had them plan to teach the old-fashioned way, foregoing technology for white boards.

With Distance Learning as the New Norm Due to Coronavirus, What Happens Now if Schools Get Hit by Ransomware?

Because of the Coronavirus crisis, distance learning is currently the most viable option for educating the nation’s students. However, what happens to a school’s learning management platforms if the school gets hit by ransomware?

There is not one consistent outcome because much of it depends on the breadth of the cyberattack and other variables. According to news reports, on March 28 the Mitchell County Public Schools in North Carolina suffered a ransomware attack preventing the teachers and staff from accessing certain documents and data. However, school administrators reported that their students were still able to access Remote Learning.

The outcome was quite different for the Penn-Harris-Madison School Corporation in Indiana, however, which is made up of 15 schools. It was hit by a ransomware attack in late 2019, and news reports described how the attack “knocked” out all internal network systems districtwide. This included its online learning system Canvas, the platform students use to access and submit work, and Skyward, the platform used to track attendance and share information with families.

Because the Coronavirus crisis has forced schools to physically shut down and teachers must rely on “distance learning” to continue educating the students, Chris Hinkley, who heads Armor’s Threat Resistance Unit (TRU) research team, says he believes the chances of threat actors targeting educational institutions with a ransomware attack is higher than ever. “The cybercriminals know that with schools having to shut down their physical locations and the majority of them having to depend solely on distance learning, they are in a much more vulnerable position,” Hinkley said.

“Add this to the fact that many schools don’t have the security protections in place to protect themselves from the myriad of security threats being launched daily, and you have a perfect storm,” he said.
With this being the case, Armor advises schools to be prepared more than ever to defend themselves against a ransomware attack. They also need to have a solid plan in place, which will allow them to continue teaching should an attack take down the school’s computer network and/or encrypt their key files.

“The Coronavirus crisis presents a unique and unprecedented risk to our U.S. school systems,” Hinkley said. “Now more than ever, educational institutions need to implement proven and comprehensive cybersecurity protections, which can defend their data and networks against the debilitating effects of ransomware and other forms of malware.”

Should an attack get past a school’s cyber protections, their security leaders must ensure that they have multiple backups of their critical data, applications and application platforms, and these must be air-gapped from the internet and password-protected. “Having these backups is critical to recovering expeditiously from a ransomware attack, as well as from other types of attacks, thus helping to ensure that the students’ education continues uninterrupted.”

Armor Security Tips for Defense Against Ransomware

Offline Data Backups – Users must have multiple backups of their critical data, applications and application platforms. These backups must be air-gapped from the internet and password-protected.
White Listing Solution – Limit the use of applications and processes that are allowed to run in your environment by providing a short list of approved applications and processes. Like a VIP List for your PC, if it’s not on the list, it’s not allowed.
File Integrity Monitoring –This monitors your IT environment 24/7/365 for changes to critical OS files and processes, such as directories, registry keys, and values. It also watches for changes to application files, rogue applications running on the host, and unusual process and port activity, as well as system incompatibilities.
Practice Least Privilege Access Control – Ensure the user has the least privilege for their job. This also applies to services.
Audit/Penetration Testing from Independent, Third-Party Experts – Use this to ensure that you are implementing best practices.
IP Reputation Monitoring/Blocking – Block known bad infrastructure and actors.
Continuous Security Awareness Training – Educate employees about current and emerging cybersecurity risks and phishing emails. Effective training should actively engage employees and include policies concerning the correct response to suspected phishing attempts.
Endpoint Protection Solution – This includes protection, detection, and response capabilities for laptops, workstations, and mobile devices. It uses antivirus (AV) and antimalware (AM) to block cyberattacks. It is also used to quickly detect and remediate any malicious activity or infection that has made its way onto the endpoint.

Appendix A: List of School Districts and/or Individual Educational Institutions Hit by Ransomware
from Jan. 1 – April 8, 2020

Panama–Buena Vista Union School District
Lakeland Community College
Mountain View–Los Altos High School District
ITI Technical College
Havre Public Schools
Allegheny Intermediate Unit
Nacogdoches Independent School District
Niagara University
Crystal Lake Community High School District 155
South Adams School District
Gadsden Independent School District
Butler County Community College
Spartanburg School District One
Three Rivers College
Fort Worth ISD
Burke County Public Schools
Mitchell County Public Schools

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals