Schools don't pay, but ransomware attacks still increasing

Ransomware gangs have increasingly focused their attacks on the K-12 education sector, even though most school districts do not pay the ransom. But how long will that last?

Ransomware gangs continued to attack K-12 schools in 2022 despite the low probability of collecting a ransom payment.

While the total number of ransomware cases is unknown, reports reveal that ransomware attacks on K-12 schools increased between 2020 and 2022. Threat detection Emsisoft recorded a near doubling of U.S. schools impacted between 2021 and 2022, though the number of school districts impacted fell from 58 to 45 last year.

According to Allan Liska, intelligence analyst at threat intelligence vendor Recorded Future, 131 school systems across the world were attacked in 2020, 162 in 2021 and 177 in this past year. These growing numbers contrast those of other sectors.

"As far as publicly reported attacks go, for everything that we track, school systems were the
only sector that was actually up in 2022," said Liska. "Everything else was flat or declined."

K-12 schools have long been frequent targets for ransomware gangs, but attacks appear to have accelerated in recent years. The COVID-19 pandemic incentivized the use of virtual platforms for students to attend school remotely, which broadened the attack surface and presented a goldmine of sensitive information belonging to educators and students.

The most notable example of this was the attack on the Los Angeles Unified School District (LAUSD), the second-largest public school system in the U.S., in early September. LAUSD officials refused to pay the ransom demand from Vice Society, a notorious ransomware operation known for its attacks on the education sector. As a result, Vice Society published 500 GB of data on its dark web site in October, though Superintendent Alberto Carvalho later said a review of the leak showed there was no widespread exposure of sensitive data.

Still, most K-12 schools refrain from paying a ransom even as the volume of captured data grows. Of the 45 cases that were publicly reported in 2022, there were only three reports of schools paying ransoms: Cedar Rapids Community School District in Iowa, Glenn County Office of Education in California, and Little Rock School District in Arkansas.

"As far as we know, school systems are one of the least likely sectors to pay a ransom," said Liska.

The reluctance to pay ransoms can be explained with several reasons. For one, there is no promise that the information encrypted and seized will not be released online, even if a ransomware actor is paid. Schools are also hesitant about expenditures, especially when the demanded sum is such a high number.

"It's been beat into schools for years and years that it's taxpayer money and you have to be careful with how you spend it," said Liska. "Even $100,000 to $150,000 ransom is a lot."

But ransomware actors don't need to receive a payment to reap benefits from an attack, which is part of the reason why they continue to target the education sector. With the personal data they acquire from schools' networks -- dates of birth, home addresses, social security numbers, health records, and more -- cybercriminals can monetize that data, albeit for a small sum.

Schools still make easy targets

Hackers send out phishing emails to be clicked on, enter accounts through credential stuffing and breach school systems directly from vulnerable external facing systems. Due to their lack of spending on cybersecurity, K-12 schools often have weak security postures, making their organizations easy targets.

According to Matt Hull, global head of threat intelligence at NCC Group, the overall number of global double extortion victims -- those whose data has been encrypted and stolen -- actually decreased by about 5% from 2021 to 2022. However, cybercriminals had increased their targeting on education.

"We see that targeting of banks by ransomware actors is virtually nonexistent because they're really hard targets," Hull said. "Less mature organizations, such as healthcare, education or the public sector bodies, who haven't had the investment, the spending in cybersecurity that banks have over the years -- those types of sectors are just 10-15 years behind those more mature organizations."

As reported by the Center for Internet Security, the maturity value of K-12 schools in terms of the Nationwide Cybersecurity Review risk-based scale, ranging 1 to 7, is 3.55. Approximately one in five K-12 organizations dedicate less than 1% of their IT budget to cybersecurity, which speaks to their lack of cyber defenses. The report outlines underdeveloped areas that schools need to improve upon: protective technology, supply chain risk management and data security.

Kurtis Minder, CEO and founder of cybersecurity vendor GroupSense, said that in addition to K-12 schools' online safeguard deficiency, the likeness of online system configurations across schools exacerbates the chance of an attack. Entering one school system probably means that one can enter several more, he said.

Protecting children, parents and educators

As attacks on K-12 schools ramped up over the last three years, cybersecurity vendors and government agencies alike have increased their focus on the threat. The Cybersecurity and Infrastructure Security Agency developed guidelines for schools in strengthening cybersecurity as required under the K-12 Cybersecurity Act of 2021 and, just last week, issued a new report on safeguarding schools.

The agency designed a toolkit that lists three recommendations -- investing in mature security measures, addressing resource constraints, and communicating with other organizations about threats and incidents -- accompanied by strategies of making them a reality.

But this online resource can only go so far. Infosec experts say schools still lack the funding to efficiently build up and mature cyber defenses. Attacks and the amount of people affected by them have escalated over a year after release of the toolkit.

Less specific to the education sector are the bans North Carolina and Florida have implemented on ransom payments related to cyberattacks to deter threat actors from attacking public agencies. Their effectiveness is a contentious matter. Minder argued that with these laws in place, ransom payments will be made more secretively instead of preventing them.

"I think it will do the opposite of what they're trying to achieve," said Minder. "It will drive behavior underground unless they give them a third option, which they have not yet done."

No end in sight

For the education sector, the numbers indicate that refusing to pay ransoms does not discourage further attacks. K-12 schools are still stricken with many risk factors. Until security postures are greatly improved, experts say, threat actors will continue to disrupt learning and steal personal data with the same tactics.

"There's no incentive for threat actors to change their behavior -- they're making money off of it," said Minder. "There's no negative consequences for them, and enough people are paying ransom that it's worth their time. It's going to continue."

It's unclear if the low rate of payments from schools will hold, especially as ransomware gangs continue to evolve and employ new and often more aggressive tactics. For example, following a 2021 attack on the Allen Independent School District (ISD) in Texas, ransomware actors began emailing the parents of students directly to pressure the school district into paying.

Liska said that while parents, students and school staff don't want their data published, they're typically against paying ransoms. In the case of Allen ISD, the school refused pay. But he said some gangs could escalate their tactics, especially if they obtained truly sensitive information about students' mental health, for example. "They've shown they have no qualms about pursuing and preying upon people's mental health issues."

Ransomware attacks have already taken a toll on these schools. A 2022 report from U.S. Accountability Office recorded a loss in three days to three weeks of learning following a cyberattack. A school's recovery time of replacing computer hardware and cybersecurity enhancement spans from about two to nine months, with costs between $50,000 to $1 million, excluding a ransom payment.

The stakes are high, and it's uncertain what might decrease or end such attacks.

"We need to figure out a way to protect the schools while also not impacting all of the valuable services school provides," Liska said.

Next Steps

Ransomware attacks ravaged big names in February

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing