June saw flurry of ransomware attacks on education sector

Ransomware attacks rocked the education sector again last month, causing significant disruptions and putting sensitive student information at risk.

TechTarget Editorial's 2023 ransomware database tracks monthly attacks against U.S. organizations based on public disclosures, confirmed media reports and data breach notifications filed to the offices of state attorneys general. June saw 29 confirmed ransomware attacks -- a slight decrease from May's ransomware activity.

This number represents only a fraction of worldwide ransomware activity for the month, as several cybersecurity vendors have recorded surges in recent months. For example, NCC Group determined that May had the second-highest number of recorded attacks worldwide so far this year with 436.

TechTarget's ransomware database also did not include the widespread attacks against vulnerable MoveIt Transfer instances. Earlier this month, Microsoft reported that a threat actor associated with the Clop ransomware gang exploited a zero-day vulnerability in Progress Software's MoveIt Transfer product to steal confidential data. Since then, an increasing number of victims emerged, including U.S. government agencies, though there have been no reports of encrypted data or systems. While TechTarget did not include the victims in the June database because the attacks involved data theft and extortion only, reports estimated that nearly 200 organizations were affected by the Clop campaign.

While the number of confirmed ransomware attacks appeared to dip in June, targets were consistent with previous months as schools and municipalities accounted for 12 of the victims that disclosed an attack. However, one victim took half a year to notify affected individuals.

In a letter issued to the Office of the Maine Attorney General on June 5, Pearland Independent School District (ISD) confirmed that it became aware of an attack on Nov. 8. Subsequently, the Texas-based district secured its systems and initiated an investigation with cybersecurity experts. According to its website, the district encompasses 23 campuses with more than 1,300 teachers and 21,000 students. The data breach notification did not say whether law enforcement was notified.

On April 18, the investigation revealed that data was affected, but Pearland ISD said it wasn't until May 18 that the evaluation process was completed. On June 5, the district notified 10 Maine residents of the data security incident, and more than 5,500 individuals were affected overall. Potentially accessed information included names, dates of birth, addresses and Social Security numbers.

Media reports from November of last year revealed that Pearland ISD alerted parents that attackers behind a "recent breach" might try to contact them. Contacting victims directly is a technique that ransomware groups commonly employ to increase the pressure on the victim organization to pay the ransom.

More recently, the Lebanon School District in New Hampshire disclosed a ransomware attack last week that initially struck the school system on June 15. It's unclear whether threat actors stole confidential data, as the investigation into the attack is ongoing. According to a report from Valley News, Lebanon's outgoing superintendent shut down payroll and other IT systems to limit the damage from the attack.

An attack against the San Luis Obispo County Office of Education in California on June 12 also caused significant disruptions. On June 22, The Tribune reported that the office forced all services offline once the breach was discovered. That led to payroll being handled by hand.

An investigation remains ongoing, and it is unclear what information or schools were affected; it appears that the agency serves 14 districts with students in grades K through 12. As of June 30, some features of the San Luis Obispo County Office of Education website were down. The 8base ransomware group, which NCC Group found to be the second-most active group in May, claimed responsibility for the attack.

In addition to education and municipalities, the technology sector was another theme in June. Three organizations confirmed attacks last month, including Reventics, based in Denver; Incredible Technologies, in California; and Heavy Hammer, based in Annapolis, Md. Like Pearland ISD, Reventics also took several months to issue data breach notifications.

Reventics bills itself as a "physician-focused clinical documentation improvement (CDI) and revenue cycle management (RCM) company." In a letter filed to the California Office of the Attorney General on June 5, Reventics revealed that it discovered a security incident on Dec. 15 where a threat actor "encrypted and potentially accessed information" stored on its servers. The letter said an investigation determined that data was accessed on Dec. 27, but the first alerts to customers were not sent out until March 1. Reventics did not file a data breach notification for California individuals until June.

However, the timeline was not the most significant part of the disclosure. The amount and sensitivity of potentially compromised data were alarming. Reventics revealed that information included names, dates of birth, medical record numbers, patient account numbers, driver's license and other government-issued ID numbers, healthcare provider's names and addresses, health plan names and IDs, diagnosis information, dates of services, treatment costs, prescription medications, and even the numeric codes used to identify services and procedures patients received from their healthcare providers.

Arielle Waldman is a Boston-based reporter covering enterprise security news.