FBI, CISA warn of growing ransomware attacks on K-12 schools

While much attention has been given to the potential for remote learning environments being exploited by cybercriminals, a new CISA joint cybersecurity advisory warns that such attacks are already happening. 

Threat actors are targeting K-12 schools and remote learning classrooms, according to a joint cybersecurity advisory by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Threat actors are targeting classrooms with ransomware, malware, DDoS attacks and video conference disruption.

"Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments," the advisory reads.

"Numerous" reports of ransomware attacks against K-12 schools have been reported to the three organizations, the agencies said. The attacks involve threat actors actively targeting school computer systems. As the advisory reads, "Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen -- and threatened to leak -- confidential student data to the public unless institutions pay a ransom."

Several recent cyber attacks have hit K-12 schools and educational organizations. For example, a massive ransomware attack struck Baltimore County Public Schools, which shut down classes for several days following Thanksgiving. In addition, online education company K12 Inc. suffered a ransomware attack last month and paid the ransom.

The rate of such reported ransomware incidents has increased throughout the year.

"According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July," the advisory said.

Ryuk, Maze, Nefilim, AKO and Sodinokibi/REvil are the most common ransomware variants involved, according to MS-ISAC's findings. The most common forms of non-ransomware malware used affecting state, local, tribal, and territorial (SLTT) K-12 schools are ZeuS, a Windows trojan, and Shlayer, a MacOS trojan. Although Shlayer is the most commonly used malware, it's also the only one on the top 10 that targets MacOS. The rest target Windows, and none of them appear to target Google's Chrome OS.

In an email to SearchSecurity, a spokesperson for the Center of Internet Security, a nonprofit organization that hosts the MS-ISAC, said that malware infections and command and control activity "make up 90% of all blocked activity" in organizations protected by CIS's Malicious Domain Blocking and Reporting (MDBR) service.

In order to disrupt and infiltrate remote learning environments, threat actors are exploiting their victims via social engineering, vulnerabilities, open/exposed ports and end-of-life software.

As for mitigations, the joint advisory mentioned not only the more commonly referenced steps such as regularly patching software and using multifactor authentication but also recommended schools maintain a business continuity plan.

"Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations. Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA suggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors," the advisory said.

Emsisoft threat analyst Brett Callow told SearchSecurity that the K-12 ransomware problem isn't getting any better and is impacting a large number of students.

"The US is tracking for a similar number of ransomware cases involving schools and colleges this year as there were last -- which isn’t a good thing. In 2019, at least 89 districts and colleges were hit; so far in 2020, the count is 80. The districts that have been impacted this year are responsible for about 1,659 individual schools -- meaning a lot of kids had their educations disrupted in year in which has already seen significant disruption to academic schedules due to COVID-19," Callow said.