Ransomware attacks on education sector spike in August

Ransomware rocked the education sector and caused delays at some institutions as the school year kicked off last month.

TechTarget Editorial's ransomware database, which consists of publicly confirmed or disclosed U.S. attacks, tracked 28 attacks last month, eight of which were against the education sector. While some schools were able to remediate attacks in time for the students' first day, others were unable to solve network issues when classes resumed.

Attacks spanned K-12 schools and universities and were consistent with ransomware gang behavior. Operators increasingly targeted the sector in June prior to the school year wrapping up for the summer. Despite data indicating that the majority of schools don't give in to ransom demands, attacks have typically increased as classes resume in August and September.

On Aug. 28, four days after the official first day of school, the Chambersburg Area School District in Pennsylvania was forced to close due to computer systems being down. In a message to its Facebook page, the school district, which serves more than 9,000 students, said it was working with third-party forensic specialists to investigate the disruption as schools remained closed. Students returned on Aug. 31 with a two-hour delayed start and no internet access.

"As a result of the diligent efforts of our technology staff and third-party forensic specialists the district is confident that classes can safely resume [on Sept. 1]," the Chambersburg Area School District wrote on Facebook.

Following the disruption, ABC27 reported that parents were upset with Chambersburg's lack of transparency about the incident. Last Thursday, school administrators released a statement confirming that a ransomware attack was to blame for the network disruption, though it's unclear if the attackers stole any sensitive data.

On Aug. 27, the University of Michigan announced it experienced an internet disruption due to a "technology issue." The following day, the university acknowledged how difficult the timing of the disruption was, as the fall school year resumed on Aug. 28. While the campus remained open and classes resumed, financial aid funds were delayed, and campus internet remained down. The disruption also affected certain systems including the M-Pathways student administration system, eResearch, and the Donor and Alumni Relationship tool.

The school announced that internet and Wi-Fi were restored on Aug. 30 and attributed the disruptions to a "security issue," though it did not confirm that a ransomware attack had occurred.

"We expect some issues with select U-M systems and services in the short term, and not all of our remediation efforts are complete," the University of Michigan wrote. "The investigative work into the security issue continues, and we are not able to share any information that might compromise the investigation."

Prince George's County Public Schools (PGCPS) in Maryland fell victim to a cyber attack on Aug. 14, for which the Rhysida ransomware group later claimed responsibility. In a statement on Aug. 18 to ABC7, Andrew Zuckerman, chief information and technology officer for PGCPS, said the attack affected 4,500 users whose accounts were accessed and compromised. More than 100,000 students attend the public school system. As of Aug. 18, an investigation was ongoing, and the school system was working to restore services. Zuckerman told ABC7 they initiated a districtwide password reset as well.

In a statement on Sept. 1, PGCPS Superintendent Millard House confirmed that a ransomware attack was to blame and warned that it could lead to "unauthorized disclosure of personal information of PGCPS users."

Last month, Bunker Hill Community College in Massachusetts confirmed that it suffered a ransomware attack at the end of the 2023 spring semester in May that affected "a limited number" of the school's systems. The Boston-based college posted a data breach notification to its website on Aug. 18. While the investigation with law enforcement is ongoing, potentially affected information includes students' names, dates of birth, addresses, Social Security numbers and education records.