Getty Images/iStockphoto

Ransomware attacks on education sector spike in August

While data breach notifications for MoveIt Transfer customers continued to rise, August also saw ransomware ramp up against schools and universities as classes resumed.

Ransomware rocked the education sector and caused delays at some institutions as the school year kicked off last month.

TechTarget Editorial's ransomware database, which consists of publicly confirmed or disclosed U.S. attacks, tracked 28 attacks last month, eight of which were against the education sector. While some schools were able to remediate attacks in time for the students' first day, others were unable to solve network issues when classes resumed.

Attacks spanned K-12 schools and universities and were consistent with ransomware gang behavior. Operators increasingly targeted the sector in June prior to the school year wrapping up for the summer. Despite data indicating that the majority of schools don't give in to ransom demands, attacks have typically increased as classes resume in August and September.

On Aug. 28, four days after the official first day of school, the Chambersburg Area School District in Pennsylvania was forced to close due to computer systems being down. In a message to its Facebook page, the school district, which serves more than 9,000 students, said it was working with third-party forensic specialists to investigate the disruption as schools remained closed. Students returned on Aug. 31 with a two-hour delayed start and no internet access.

"As a result of the diligent efforts of our technology staff and third-party forensic specialists the district is confident that classes can safely resume [on Sept. 1]," the Chambersburg Area School District wrote on Facebook.

Following the disruption, ABC27 reported that parents were upset with Chambersburg's lack of transparency about the incident. Last Thursday, school administrators released a statement confirming that a ransomware attack was to blame for the network disruption, though it's unclear if the attackers stole any sensitive data.

On Aug. 27, the University of Michigan announced it experienced an internet disruption due to a "technology issue." The following day, the university acknowledged how difficult the timing of the disruption was, as the fall school year resumed on Aug. 28. While the campus remained open and classes resumed, financial aid funds were delayed, and campus internet remained down. The disruption also affected certain systems including the M-Pathways student administration system, eResearch, and the Donor and Alumni Relationship tool.

The school announced that internet and Wi-Fi were restored on Aug. 30 and attributed the disruptions to a "security issue," though it did not confirm that a ransomware attack had occurred.

"We expect some issues with select U-M systems and services in the short term, and not all of our remediation efforts are complete," the University of Michigan wrote. "The investigative work into the security issue continues, and we are not able to share any information that might compromise the investigation."

Prince George's County Public Schools (PGCPS) in Maryland fell victim to a cyber attack on Aug. 14, for which the Rhysida ransomware group later claimed responsibility. In a statement on Aug. 18 to ABC7, Andrew Zuckerman, chief information and technology officer for PGCPS, said the attack affected 4,500 users whose accounts were accessed and compromised. More than 100,000 students attend the public school system. As of Aug. 18, an investigation was ongoing, and the school system was working to restore services. Zuckerman told ABC7 they initiated a districtwide password reset as well.

In a statement on Sept. 1, PGCPS Superintendent Millard House confirmed that a ransomware attack was to blame and warned that it could lead to "unauthorized disclosure of personal information of PGCPS users."

Last month, Bunker Hill Community College in Massachusetts confirmed that it suffered a ransomware attack at the end of the 2023 spring semester in May that affected "a limited number" of the school's systems. The Boston-based college posted a data breach notification to its website on Aug. 18. While the investigation with law enforcement is ongoing, potentially affected information includes students' names, dates of birth, addresses, Social Security numbers and education records.

Healthcare organizations, MoveIt Transfer customers

While ransomware groups targeted schools last month, one of the most destructive attacks occurred against California-based Prospect Medical Holdings on Aug. 3. The attack caused a systemwide outage and forced the medical group to take systems offline. More alarmingly, it caused downtime at some hospitals. Prospect Medical Holdings owns 16 hospitals with 11,000 affiliated physicians and 18,000 employees.

On Aug. 3, CharterCare Health Partners, a Rhode Island affiliate of Prospect Medical Holdings, announced that the attack affected inpatient and outpatient operations at Our Lady of Fatima Hospital and Roger Williams Medical Center. In a message to its Facebook page, CharterCare said it was in the process of "reevaluating our downtime capabilities" and rescheduling some appointments. CharterCare also had to resort to using paper patient records since the electronic medical record system was down.

Another affiliate, Eastern Connecticut Health Network, was forced to set up a temporary phone system for patients to contact their providers. On Aug. 24, CharterCare confirmed that its systems were back online, but that might not have extended to all hospitals.

As of Aug. 31, a banner across Prospect Medical Holdings' website said it was "experiencing a systemwide outage." Like Prince George's County Public Schools, the Rhysida ransomware group also claimed responsibility for the attack against Prospect Medical Holdings.

Disclosures continued to emerge from customers of Progress Software's MoveIt Transfer product following a widespread attack campaign that began in May when the Clop ransomware gang exploited a zero-day vulnerability. While the numbers aren't included in TechTarget's ransomware database because they don't involve encryption, TechTarget Editorial separately tracked 38 public disclosures filed to the offices of state attorneys general in August. One notable MoveIt Transfer victim was the Colorado Department of Health Care Policy and Financing, which said the Clop ransomware attack affected more than 4 million people.

Flashpoint's "Cyber Threat Intelligence Index: 2023 Midyear Edition" revealed that as of Aug. 9, there were more than 650 MoveIt victims. The number is based on posts to Clop's public data leak site along with data from Flashpoint's Cyber Risk Analytics platform. The 650 victims include companies that were directly attacked as well as third-party victims that had data stored within vulnerable MoveIt Transfer systems, according to the report.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Next Steps

NCC Group details 153% spike in September ransomware attacks

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing