Update 9.26.19

Since the original publication of this report on Friday, September 20 the following 5 schools have also come forward as victims of ransomware attacks, for a total of 15 schools in the past two weeks. A total of 54 education victims, potentially impacting over 500 individual K-12 schools have been reported in the US since January 2019. New victims this week include:

Education Mobile County School District Mobile AL
Education Houston County Board of Education Perry GA
Education Guthrie Public Schools Guthrie OK
Education Smyth County Public Schools Saint Marion VA
Education Northshore School District Bothell WA


In the past 9 days, Armor, a cloud security solutions provider, has identified 9 new school districts and 1 college which have been hit by ransomware. The 9 school districts are made up of over 100 K-12 schools, thus expanding the potential impact to many schools. Crowder College of Neosho, MO, reported they were a victim of ransomware on September 11, and the ransom demand was $1.6 million. Interestingly, they also said that they found evidence that the threat actors had been in their systems since November 2018. There has been no news of whether Crowder has paid the ransom. Monroe College in New York was compromised in July, and they were hit with a $2 million ransom, the first million dollar ransom we had seen for an educational institution, before Crowder College.

Since January 2019, Armor has identified a total of 49 educational institutions and/ or school districts that have publicly announced ransomware attacks These attacks have potentially affected 500 K-12 schools. Since January, Armor has identified 182 ransomware victims in the U.S., including schools, municipalities, law enforcement agencies and healthcare networks. Out of the 182 victim organizations in 2019 in the U.S., educational institutions (49) make up the second largest pool of victims, after municipalities (70), followed by healthcare (27).

Number of Publicly Reported Education Victims in 2018

According to the K-12 Cybersecurity Resource Center, K-12 schools experienced 119 cyber incidents in 2018 and 9.76 % they attribute to ransomware which equals 11 victim schools.

NOTE: Connecticut has had 7 school districts hit by ransomware in 2019, making them the state whose educational institutions have been compromised most by ransomware attacks (see victims below). These districts are comprised of 104 individual schools.

“Educational institutions, municipalities and other organizations whose infrastructure is critical to their communities host a variety of data, most of which is sensitive.” said Chris Hinkley, Head of Threat Resistance at Armor. “Cybercriminals know these organizations can’t afford to shut down, they are often using out of date hardware and software, and they have few security measures in place. This is a deadly combination in the case of a ransomware attack, which provides for a high sense of urgency and a high probability of large payments. Recently, there have been several ransomware attacks on these types of public institutions that have resulted in payment, including The Rockville Center School District ($88,000), Riviera City, Florida ($600,000), and Lake City, Florida ($500,000). Unfortunately, these payouts have signaled to the hackers that impacting communities can be very profitable.”

The 10 victim school districts include:

Vertical Name City State
Education Ava R-I School District Ava MO
Education Wallenpaupack Area School District Hawley PA
Education Mad River Local Schools Riverside OH
Education Papillion-La Vista Comm. Schools Papillion NE
Education Rockford Public Schools Rockford IL
Education Souderton Area School District Lansdale PA
Education Wakulla County School District Crawfordville FL
Education Jackson County School District Marianna FL
Education Wyoming Area School District Exeter PA

Effects of Ransomware Attacks on Various School Districts

Souderton Area School District in Lansdale, Pennsylvania was hit by ransomware in early September. The Superintendent of the District Dr. Frank Gallagher said the attack affected them over the Labor Day weekend and they are still suffering disruptions to their network. Note: Students were also told to power off their school issued devices and to return the devices to their school.

North Lamar Independent School District in Lamar County, Texas reported an attack that occurred just before the Labor Day holiday. They do not appear to be part of the “Texas 22” earlier in the month, as there has been no mention of school systems hit in the earlier attack. The residents of Lamar are no stranger to ransomware—their sheriff department was hit with ransomware in January.

Blue Valley School District in Overland Park, Kansas was hit with ransomware on August 9th locking communications and network access. Thanks to backup procedures and quick action to block the threat actor’s IP address, the school was only down for 4 days – but back up in time for the first day of school.

Students at Monroe-Woodbury School District in Central Valley, New York were expected to start school Wednesday, September 4, 2019 but they didn’t start until September 5th. The district will not have access to computers, Wi-Fi, and smart boards for weeks until the recovery process is completed.

Camp Verde Unified School District in Camp Verde, Arizona managed to start the school year on time, despite a ransomware attack. They began the new year without the aid of computers, however, adding new stress to the first days of school.

Flagstaff Unified School District wasn’t as lucky. The second Arizona school district to report their networks were taken down, FUSD delayed the start of classes two days due to a ransomware attack discovered August 4th. The attack may have impacted as many as 15 schools across the district.

Sherman Public Schools in Sherman, Connecticut discovered ransomware August 16th. They now join six other Connecticut schools reporting attacks this year including Middletown, Wallingford, New Haven, Pomfret, Bridgeport and Wolcott.

Ryuk Ransomware Culprit in 5 School Ransomware Incidents

According to reports, 5 of the attacks on education organizations this year have been due to Ryuk, a lucrative and targeted ransomware family that has historically victimized municipalities as well as school systems. It is typically proceeded by the Emotet and TrickBot trojans which lay the groundwork for network-wide compromise.

Publicly Reported MSPs Hit by Ransomware Attacks in 2019

PM Consultants– Portland, Oregon   July 2019

CloudJumper— Garner, North Carolina May 2019

Datto—Norwalk, Connecticut   August 2019

PercSoft—West Allis, Wisconsin  August 2019

TSM Consulting Services Inc.— Rockwall, Texas  August 2019

IT By Design —Jersey City, NJ   June 2019

Publicly Reported School Victims of Ransomware Attacks
January-September 2019

Vertical Name City State
Education Houston County Schools Ashford AL
Education Camp Verde Unified School District Camp Verde AZ
Education Flagstaff Public Schools Flagstaff AZ
Education Sylvan Union School District Modesto CA
Education Bridgeport Public Schools Bridgeport CT
Education Middletown School District Middletown CT
Education Wallingford School District Wallingford CT
Education New Haven Public Schools New Haven CT
Education Wolcott Public Schools Wolcott CT
Education Pomfret Public Schools Pomfret CT
Education Sherman Public Schools Sherman CT
Education Wakulla County School District Crawfordville FL
Education Jackson County School District Marianna FL
Education Grinnell College Grinnell IA
Education Glenwood School District Glenwood IA
Education Sugar-Salem School District Sugar City ID
Education Nampa Idaho School District Nampa ID
Education Augustana College Rock Island IL
Education Rockford Public Schools Rockford IL
Education Blue Valley School District Overland Park KS
Education Louisiana Public Schools Sabine Parish LA
Education Park Rapids Public Schools Park Rapids MN
Education Crowder College Neosho MO
Education Papillion-La Vista Community Schools Papillion NE
Education Stevens Institute of Technology Hoboken NJ
Education Taos Municipal Schools District Taos NM
Education Gadsden Independent School District Gadsden NM
Education Lyon County School District Yerington NV
Education Hamilton College in New York Clinton NY
Education Monroe College New York NY
Education Syracuse City School District Syracuse NY
Education Mineola Public Schools Mineola NY
Education Rockville Center School District Rockville Center NY
Education Monroe-Woodbury School District Central Valley NY
Education Oberlin College Oberlin OH
Education Mad River Local Schools Riverside OH
Education Oklahoma City Public Schools Oklahoma City OK
Education Broken Arrow Public Schools Broken Arrow OK
Education Souderton Area School District Lansdale PA
Education Wyoming Area School District Exeter PA
Education Wallenpaupack Area School District Hawley PA
Education Newport Public Schools Newport RI
Education Crosby ISD Crosby TX
Education Sul Ross State University Alpine TX
Education North Lamar ISD Lamar County TX
Education New Kent County Public Schools New Kent VA
Education Northwest Indian College Bellingham WA
Education Moses Lake School District Moses Lake WA
Education Ava County Schools Ava MO
Education Mobile County School District Mobile AL
Education Houston County Board of Education Perry GA
Education Guthrie Public Schools Guthrie OK
Education Smyth County Public Schools Saint Marion VA
Education Northshore School District Bothell WA

Key Ransomware Protection Tips Include:

  • Offline Data Backups – users must have multiple backups of their critical data, applications, and application platforms. These backups must be air-gapped from the internet and password protected.
  • White Listing Solution – limits the use of applications and processes that are allowed to run in your environment by providing a short list of approved applications and processes. Like a VIP List for your PC, if it’s not on the list,
    it’s not allowed.
  • File Integrity Monitoring—Monitors your IT environment 24x7x365 for changes to critical OS, files and processes such as directories, registry keys, and values.  It also watches for changes to application files, rogue applications running on the host and unusual process and port activity, as well as system incompatibilities.
  • Practice Least Privilege Access Control –ensure the user has the least privilege for their job. This also applies to services.
  • Audit/Penetration Testing from Independent, Third-Party Experts—to ensure that you are implementing best practices.
  • IP Reputation Monitoring/Blocking—blocking known bad infrastructure and actors
  • Continuous Security Awareness Training – educate employees about current and emerging cybersecurity risks and phishing emails. Effective training should actively engage employees and include policies concerning the correct response to suspected phishing attempts.
  • Endpoint Protection Solution – includes protection, detection and response capabilities for laptops, workstations and mobile devices. Utilizes antivirus (AV) and antimalware (AM) to block cyberattacks. It is also used to quickly detect and remediate any malicious activity or infection that has made its way onto the endpoint.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals