CALIFORNIA, USA — This article was originally published by CalMatters.
Sixth-grade teacher Hilary Hall had just started teaching one Monday morning in September when her teacher’s group chats at Newhall School District exploded with confusing messages. Teachers in the Santa Clarita school district — located just north of Los Angeles — were panicking.
While Hall had no issues logging onto her computer from home, many of her colleagues, connected to the school district’s server, were met with a mysterious pop-up message.
It said users wouldn’t be able to log into the server.
People turned to Hall, co-president of the district’s teacher’s union, for information, but she didn’t know what was going on, either.
A few minutes later, an answer arrived via phone call from each grade’s head teacher: The school district, all 10 schools representing under 6,000 children, had been hit with a ransomware attack. All teachers were instructed to log off immediately.
“Read a book!” Hall told the kids in her class, trying to think of educational activities on the spot as she quickly logged off.
While incidents like the Colonial pipeline ransomware attack and the Kaseya attack received international attention, schools and universities have also been on the wrong end of cybercriminals.
READ MORE:
Experts interviewed by CalMatters — including researchers, cybersecurity companies, IT employees and the FBI — all agree the number of cyberattacks has increased over the pandemic. Many believe the number of attacks on the education sector has also increased, but it’s an area so new to cybercrime that there’s virtually no comprehensive data on it.
California schools, colleges and universities have scrambled to adjust. In the past five years, more than two dozen California school systems have been targeted, from Rialto Unified School District in San Bernardino to Stanford University’s School of Medicine.
Prior to the ransomware attack last September, Newhall had implemented what experts consider common sense security measures like internal firewalls to prevent malicious software from affecting entire systems. A few times a year, the IT department even sent students and employees fake “phishing” emails — deceptive emails enticing users to click on malicious links or reveal sensitive information — to see if they would click on suspicious links that could compromise their networks.
But none of these efforts stopped cybercriminals from attacking the district’s computer systems and rendering over 6,000 elementary school students and teachers without normal school for a week.
“When we heard that it was ransomware, it was almost like, ‘Are we in a movie?’ Like, what in the world?” Hall said.
How ransomware attacks work
Ransomware attacks use a specific type of malicious software to encrypt files on computers connected to the Internet, essentially locking out organizations from accessing their files. The cybercriminals then demand a ransom to decrypt the files.
Sometimes, these attacks are “double-pronged,” meaning the criminals will threaten to sell (or when there’s potential for blackmail, release) sensitive information in order to provide an extra incentive for fast payment. Coveware, a well-known Connecticut-based ransomware recovery firm, found that 77% of ransomware attacks threatened to leak data in the first quarter of 2021.
Emsisoft, a New Zealand-based software company, expects these data theft attacks to double in 2021, with cybercriminals finding more ways to make stolen data useful in extracting a ransom.
The FBI’s Internet Crime Complaint Center, which tracks complaints of cybercrimes (not just ransomware), said it received 791,790 complaints in 2020, a 165% increase from 2016. The complaints only reflect crimes reported to the FBI, so the actual number in any given year is larger.
And as COVID-19 forced many organizations, from schools to huge corporations, to move even more of their systems online, cybercrime increased, said Ronald Manuel, a supervisor on the FBI’s Los Angeles cyber task force.
Schools and universities confronted an unprecedented increase in attacks.
In 2020, cybercriminals attacks affected at least 1,681 schools and universities across the country, according to research by Emsisoft. In 2019, only 89 were attacked with ransomware, although over 1,000 more were potentially affected. These numbers represent a minimum of ransomware attacks, Emsisoft said — there are no federal reporting requirements.
Seculore Solutions, a software company based in Maryland, has recorded 122 cyberattacks in California across the public safety, government, medical and education sectors since 2016. At least 26 of those cyberattacks have targeted California school districts, colleges and universities, including the University of California, Sierra College, College of the Desert and Visalia Unified School District.
If the data on cyberattacks seems sketchy and incomplete, that’s because it is. Nick Merrill, a cybersecurity researcher at UC Berkeley, said he doesn’t know of an archive for cyber attacks in California. “But if you find one, please let me know,” he wrote in an email to CalMatters.
READ MORE:
While it’s ultimately a mystery how ransomware crews pick their specific targets, the education sector is vulnerable for a few reasons, according to multiple experts. Tight budgets prevent them from having the resources to stop cyberattacks. Unique characteristics — like an open WiFi network — make schools particularly vulnerable. And they are also dependent on their online systems: They wouldn’t be able to function without grading systems or other file-sharing software.
“They’re essentially low-hanging fruit,” said Andrew Brandt, a malware researcher with SophosLabs.
Schools could also be a quick and easy payout for “ransomware crews” who make a living off of these attacks, Merrill said. Experts believe that many of these cybercriminals are located in Russia or the former USSR, where ransomware is a lucrative business in an otherwise depressed economy.
“There are a lot of them, so you can keep hitting these (schools and colleges) all across the U.S., all across maybe even the world, and you can get a pretty consistent payout every time,” Merrill said.
But while ransomware attacks are increasing in schools across California and the country, key players are struggling to play catch-up. School administrators, experts and government officials are having different conversations, if any at all.
Do you pay ransomware attackers or not?
The week of the ransomware attack at Newhall School District, teachers uploaded videos to the school district’s website as a form of makeshift online school. All students in the district watched the same videos. Hall said some of her students felt that week was “a bit of a waste,” because the lesson plans were so generic. She said teachers felt guilty about “leaving our kids stranded without our support.”