Those numbers, while alarming, might be low. Antivirus maker Emsisoft released a similar report. They claimed to have identified 62 ransomware incidents impacting more than 1,000 schools and higher education institutions over the same time period.
Ransomware Attacks are Getting Worse
A recent report by BakerHostetler, a national law firm with considerable expertise representing firms hit by ransomware attacks, has also recently warned of a sharp increase in school district attacks. What makes the recent ransomware attacks particularly alarming is the increase in intensity and costs. In previous years, a ransomware attack might have hit one or two devices in an organization. More recent attacks have hit dozens or hundreds of devices simultaneously, effectively shutting down all the organization’s operations. The amount of money demanded has also gone up. While during the last few years the average ransom paid was less than $50,000, recent ransomware attacks have demanded payment in the hundreds of thousands, or even millions of dollars. For example, Rockville Centre School District in New York had to pay nearly $100,000 after ransomware shut down its network in August, according to CBS Channel 2 News.
Other examples include:
• Hackers shut down Crowder College in Neosho, Missouri demanding 1.6 million dollars. The college did not pay, and as a result, students went for months without Wi-Fi in dorms, use of their computer labs, access to emails and more.
• Louisiana public schools have been hit by a number of ransomware attacks, causing Governor John Bel Edwards to declare a state of emergency in July, and again in November.
• Moses Lake School District, which encompasses 16 schools in Washington state, was hit with a ransomware demand for $1,000,000. Rather than paying, they restored servers from backups, but lost about five months of data.
• As we reported in an earlier blog post, the Leominster Public School district not only paid $10,000 to decrypt files after a ransomware attack, but it then had to spend more than $400,000 to update their system to ensure it couldn’t happen again.
Of all the recent school ransomware attacks, approximately one third of them have been caused by the Ryuk ransomware, one of today’s most active ransomware strains. Ryuk was created by the Russian eCrime group WIZARD SPIDER and they have successfully extorted millions of dollars (payable via Bitcoin) since Ryuk was first introduced in September 2018.
There seems to be little geographic communality for these attacks, as Ryuk ransomware attacks have hit schools in Missouri, Pennsylvania, Ohio, Nebraska, Florida, Illinois, Georgia, Oklahoma, Virginia and Washington. None have been targeted at schools in Connecticut, although that state has the dubious honor of suffering the most school ransomware attacks with 104 schools being hit.
Why Are Schools Being Targeted by Ransomware Attacks?
Schools may seem like an odd choice for these cyberattacks, as many are already struggling with meeting their budgets. But as cybersecurity company Blue Bastion explains, their tight budgets actually work against them, since that also means many institutions have limited funds for IT staff and infrastructure. Most primary schools, junior high schools and high schools typically focus their IT budgets on equipment for faculty, equipment for student labs, and basic networking—and not cybersecurity.
Secondly, many educational institutions must satisfy many different users including faculty, staff, labs, student Wi-Fi access and so on. This not only leaves security holes that can be easily exploited, but because computer access is so important to so many different subgroups, schools need to resolve problems quickly or face wide-spread disruption.
What Options Do You Have?
Organizations hit by a ransomware attack have only three options:
• Restore systems from available backups. This is the least costly approach, but is only viable if backups are routinely kept, and if they were encrypted (and so not affected by the attack).
• Pay the ransom to obtain a decryption tool (and hope the hacker fulfills his or her side of the bargain).
• Continue operations without using any of the encrypted data—an option that is not always feasible and, at best, creates significant and long-lasting issues that cannot easily be resolved.
What You Should Do Now
The most important thing you need to do … is not to sit on your hands doing nothing. If you’re not backing up your data, you need to start immediately. If everyone with computer access is not following best practices for security, you need to educate them. At DYOPATH, we help many organizations prepare for such problems, such as creating the secure infrastructure and developing the response processes for when an attack happens. From security solutions to consulting services we can help you stay safe and prepared.