November saw an influx of ransomware attacks reported against the education sector, with some tied to the Hive ransomware group after threat actors claimed responsibility through the groups' public data leak site.
At least five of the 24 confirmed or disclosed ransomware attacks last month were against K-12 schools and universities, though that figure is likely much larger. While TechTarget Editorial tracks publicly reported ransomware events and official disclosures that include terms such as "encrypted data," there were signs that ransomware was involved in several additional instances referred to only as a cyber attack or security incident.
The ransomware activity against the education sector continues the trend in October and September, which also saw a significant number of K-12 schools and colleges disclose attacks. Along with an uptick in attacks against the education sector, Hive was persistent in, throughout November, leaking stolen information from two education entities.
Though Hive ransomware has been deployed by threat actors since 2021, a recent joint cybersecurity advisory from the FBI and the Cybersecurity and Infrastructure Security Agency warned organizations of its updated tactics and techniques.
"As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information," the alert read.
On Nov. 28, The Record confirmed that Guilford College in North Carolina suffered a ransomware attack in October where law enforcement was immediately notified. A Guilford College spokesperson informed The Record that evidence suggested the threat actor likely accessed sensitive data. Three days prior, Emsisoft analyst Brett Callow posted a screenshot of Hive's leak page, used to pressure victims into paying, on Twitter that showed Guilford College had been added. That included "100MB pack of data" and brought the number of U.S. colleges with stolen data up to 20 so far this year, according to Callow.
Additionally, the college's student-run news site, The Guilfordian, reported a cyber security incident on Nov. 11. While it did not refer to it as a ransomware attack, The Guilfordian did say an incident that caused "system disruptions" occurred on Oct. 21, which was not officially announced by Guilford president Kyle Farmbry until Nov. 5.
Oklahoma-based Norman Public Schools (NPS), a district with 24 schools and more than 14,000 students, confirmed it was hit by ransomware on November 4. The district posted a statement on its website warning students and faculty to discontinue use and shutdown NPS-issued devices. In an update on Nov. 23, the same day that Hive added the school to its victims list, NPS said an investigation "determined that an unauthorized actor gained access to certain NPS systems, and that information contained on those systems may have been viewed or taken."
The most recent communication on the attack was posted Nov. 30, where NPS confirmed it was unaware that any information had been misused. But it did encourage students and faculty to "remain vigilant against incidents of identity theft and fraud."
While it wasn't listed on Hive's leak site, Jackson and Hillsdale County Public Schools experienced a ransomware attack that shutdown operations for a week and a half. Kevin Oxley, Jackson County Intermediate School District superintendent, issued a letter on Nov. 14 that confirmed a ransomware attack forced services offline, affecting two Michigan counties.
Another trend in November related to geographical location. Three of the 24 confirmed ransomware attacks occurred against organizations located in Dallas, including the Dallas Central Appraisal District, whose website remained down for the third week as of Nov. 24.