Update 9.26.19
Since the original publication of this report on Friday, September 20 the following 5 schools have also come forward as victims of ransomware attacks, for a total of 15 schools in the past two weeks. A total of 54 education victims, potentially impacting over 500 individual K-12 schools have been reported in the US since January 2019. New victims this week include:
| Education | Mobile County School District | Mobile | AL |
| Education | Houston County Board of Education | Perry | GA |
| Education | Guthrie Public Schools | Guthrie | OK |
| Education | Smyth County Public Schools | Saint Marion | VA |
| Education | Northshore School District | Bothell | WA |
9.20.19
In the past 9 days, Armor, a cloud security solutions provider, has identified 9 new school districts and 1 college which have been hit by ransomware. The 9 school districts are made up of over 100 K-12 schools, thus expanding the potential impact to many schools. Crowder College of Neosho, MO, reported they were a victim of ransomware on September 11, and the ransom demand was $1.6 million. Interestingly, they also said that they found evidence that the threat actors had been in their systems since November 2018. There has been no news of whether Crowder has paid the ransom. Monroe College in New York was compromised in July, and they were hit with a $2 million ransom, the first million dollar ransom we had seen for an educational institution, before Crowder College.
Since January 2019, Armor has identified a total of 49 educational institutions and/ or school districts that have publicly announced ransomware attacks These attacks have potentially affected 500 K-12 schools. Since January, Armor has identified 182 ransomware victims in the U.S., including schools, municipalities, law enforcement agencies and healthcare networks. Out of the 182 victim organizations in 2019 in the U.S., educational institutions (49) make up the second largest pool of victims, after municipalities (70), followed by healthcare (27).
Number of Publicly Reported Education Victims in 2018
According to the K-12 Cybersecurity Resource Center, K-12 schools experienced 119 cyber incidents in 2018 and 9.76 % they attribute to ransomware which equals 11 victim schools.
NOTE: Connecticut has had 7 school districts hit by ransomware in 2019, making them the state whose educational institutions have been compromised most by ransomware attacks (see victims below). These districts are comprised of 104 individual schools.
“Educational institutions, municipalities and other organizations whose infrastructure is critical to their communities host a variety of data, most of which is sensitive.” said Chris Hinkley, Head of Threat Resistance at Armor. “Cybercriminals know these organizations can’t afford to shut down, they are often using out of date hardware and software, and they have few security measures in place. This is a deadly combination in the case of a ransomware attack, which provides for a high sense of urgency and a high probability of large payments. Recently, there have been several ransomware attacks on these types of public institutions that have resulted in payment, including The Rockville Center School District ($88,000), Riviera City, Florida ($600,000), and Lake City, Florida ($500,000). Unfortunately, these payouts have signaled to the hackers that impacting communities can be very profitable.”
The 10 victim school districts include:
| Vertical | Name | City | State |
| Education | Ava R-I School District | Ava | MO |
| Education | Wallenpaupack Area School District | Hawley | PA |
| Education | Mad River Local Schools | Riverside | OH |
| Education | Papillion-La Vista Comm. Schools | Papillion | NE |
| Education | Rockford Public Schools | Rockford | IL |
| Education | Souderton Area School District | Lansdale | PA |
| Education | Wakulla County School District | Crawfordville | FL |
| Education | Jackson County School District | Marianna | FL |
| Education | Wyoming Area School District | Exeter | PA |
Effects of Ransomware Attacks on Various School Districts
Souderton Area School District in Lansdale, Pennsylvania was hit by ransomware in early September. The Superintendent of the District Dr. Frank Gallagher said the attack affected them over the Labor Day weekend and they are still suffering disruptions to their network. Note: Students were also told to power off their school issued devices and to return the devices to their school.
North Lamar Independent School District in Lamar County, Texas reported an attack that occurred just before the Labor Day holiday. They do not appear to be part of the “Texas 22” earlier in the month, as there has been no mention of school systems hit in the earlier attack. The residents of Lamar are no stranger to ransomware—their sheriff department was hit with ransomware in January.
Blue Valley School District in Overland Park, Kansas was hit with ransomware on August 9th locking communications and network access. Thanks to backup procedures and quick action to block the threat actor’s IP address, the school was only down for 4 days – but back up in time for the first day of school.
Students at Monroe-Woodbury School District in Central Valley, New York were expected to start school Wednesday, September 4, 2019 but they didn’t start until September 5th. The district will not have access to computers, Wi-Fi, and smart boards for weeks until the recovery process is completed.
Camp Verde Unified School District in Camp Verde, Arizona managed to start the school year on time, despite a ransomware attack. They began the new year without the aid of computers, however, adding new stress to the first days of school.
Flagstaff Unified School District wasn’t as lucky. The second Arizona school district to report their networks were taken down, FUSD delayed the start of classes two days due to a ransomware attack discovered August 4th. The attack may have impacted as many as 15 schools across the district.
Sherman Public Schools in Sherman, Connecticut discovered ransomware August 16th. They now join six other Connecticut schools reporting attacks this year including Middletown, Wallingford, New Haven, Pomfret, Bridgeport and Wolcott.
Ryuk Ransomware Culprit in 5 School Ransomware Incidents
According to reports, 5 of the attacks on education organizations this year have been due to Ryuk, a lucrative and targeted ransomware family that has historically victimized municipalities as well as school systems. It is typically proceeded by the Emotet and TrickBot trojans which lay the groundwork for network-wide compromise.
Publicly Reported MSPs Hit by Ransomware Attacks in 2019
PM Consultants– Portland, Oregon July 2019
CloudJumper— Garner, North Carolina May 2019
Datto—Norwalk, Connecticut August 2019
PercSoft—West Allis, Wisconsin August 2019
TSM Consulting Services Inc.— Rockwall, Texas August 2019
IT By Design —Jersey City, NJ June 2019
Publicly Reported School Victims of Ransomware Attacks
January-September 2019
| Vertical | Name | City | State |
| Education | Houston County Schools | Ashford | AL |
| Education | Camp Verde Unified School District | Camp Verde | AZ |
| Education | Flagstaff Public Schools | Flagstaff | AZ |
| Education | Sylvan Union School District | Modesto | CA |
| Education | Bridgeport Public Schools | Bridgeport | CT |
| Education | Middletown School District | Middletown | CT |
| Education | Wallingford School District | Wallingford | CT |
| Education | New Haven Public Schools | New Haven | CT |
| Education | Wolcott Public Schools | Wolcott | CT |
| Education | Pomfret Public Schools | Pomfret | CT |
| Education | Sherman Public Schools | Sherman | CT |
| Education | Wakulla County School District | Crawfordville | FL |
| Education | Jackson County School District | Marianna | FL |
| Education | Grinnell College | Grinnell | IA |
| Education | Glenwood School District | Glenwood | IA |
| Education | Sugar-Salem School District | Sugar City | ID |
| Education | Nampa Idaho School District | Nampa | ID |
| Education | Augustana College | Rock Island | IL |
| Education | Rockford Public Schools | Rockford | IL |
| Education | Blue Valley School District | Overland Park | KS |
| Education | Louisiana Public Schools | Sabine Parish | LA |
| Education | Park Rapids Public Schools | Park Rapids | MN |
| Education | Crowder College | Neosho | MO |
| Education | Papillion-La Vista Community Schools | Papillion | NE |
| Education | Stevens Institute of Technology | Hoboken | NJ |
| Education | Taos Municipal Schools District | Taos | NM |
| Education | Gadsden Independent School District | Gadsden | NM |
| Education | Lyon County School District | Yerington | NV |
| Education | Hamilton College in New York | Clinton | NY |
| Education | Monroe College | New York | NY |
| Education | Syracuse City School District | Syracuse | NY |
| Education | Mineola Public Schools | Mineola | NY |
| Education | Rockville Center School District | Rockville Center | NY |
| Education | Monroe-Woodbury School District | Central Valley | NY |
| Education | Oberlin College | Oberlin | OH |
| Education | Mad River Local Schools | Riverside | OH |
| Education | Oklahoma City Public Schools | Oklahoma City | OK |
| Education | Broken Arrow Public Schools | Broken Arrow | OK |
| Education | Souderton Area School District | Lansdale | PA |
| Education | Wyoming Area School District | Exeter | PA |
| Education | Wallenpaupack Area School District | Hawley | PA |
| Education | Newport Public Schools | Newport | RI |
| Education | Crosby ISD | Crosby | TX |
| Education | Sul Ross State University | Alpine | TX |
| Education | North Lamar ISD | Lamar County | TX |
| Education | New Kent County Public Schools | New Kent | VA |
| Education | Northwest Indian College | Bellingham | WA |
| Education | Moses Lake School District | Moses Lake | WA |
| Education | Ava County Schools | Ava | MO |
| Education | Mobile County School District | Mobile | AL |
| Education | Houston County Board of Education | Perry | GA |
| Education | Guthrie Public Schools | Guthrie | OK |
| Education | Smyth County Public Schools | Saint Marion | VA |
| Education | Northshore School District | Bothell | WA |
Key Ransomware Protection Tips Include:
- Offline Data Backups – users must have multiple backups of their critical data, applications, and application platforms. These backups must be air-gapped from the internet and password protected.
- White Listing Solution – limits the use of applications and processes that are allowed to run in your environment by providing a short list of approved applications and processes. Like a VIP List for your PC, if it’s not on the list,
it’s not allowed. - File Integrity Monitoring—Monitors your IT environment 24x7x365 for changes to critical OS, files and processes such as directories, registry keys, and values. It also watches for changes to application files, rogue applications running on the host and unusual process and port activity, as well as system incompatibilities.
- Practice Least Privilege Access Control –ensure the user has the least privilege for their job. This also applies to services.
- Audit/Penetration Testing from Independent, Third-Party Experts—to ensure that you are implementing best practices.
- IP Reputation Monitoring/Blocking—blocking known bad infrastructure and actors
- Continuous Security Awareness Training – educate employees about current and emerging cybersecurity risks and phishing emails. Effective training should actively engage employees and include policies concerning the correct response to suspected phishing attempts.
- Endpoint Protection Solution – includes protection, detection and response capabilities for laptops, workstations and mobile devices. Utilizes antivirus (AV) and antimalware (AM) to block cyberattacks. It is also used to quickly detect and remediate any malicious activity or infection that has made its way onto the endpoint.