Ransomware Attacks Force School Districts to Shore Up—or Pay Up
A big problem was waiting for Matt Jensen, the superintendent of the Bigfork public schools, as he arrived to work on a Monday in November.
His 900-student Montana district was under a cyberattack. A self-replicating computer virus had eaten its way through most of the schools’ servers—including the student-information system—and encrypted huge amounts of data, making it inaccessible to Bigfork employees.
The perpetrators of the breach had also left a disconcerting message for Jensen’s IT director: They were demanding a ransom in exchange for a decryption key that would immediately unlock the data. The alternative to paying up would be to rebuild the district’s data systems from backups or, in a worst-case scenario, from scratch.
Experts have seen a spike in “ransomware” attacks across all sectors of the economy in recent years. Criminals have hit all types of organizations, public and private, including K-12 districts. Multiple strains of the computer virus exist, but most versions of such malware behave much like the type that infected the Bigfork network.
“Ransomware does not discriminate,” said Will Bales, a supervisory special agent in the FBI’s cyber division. “Whether it’s a big school district or a small school district, they have the same possibility of being hit.”
Once the virus has infected a network and scrambled every Word document, spreadsheet, and data file it finds, the people behind the attack will ask for a ransom in bitcoin, an untraceable virtual currency, in return for the decryption key.
But Jensen said he never even considered paying the cybercriminals: “We weren’t going to negotiate with them.”
Even if his district paid the ransom, he said, there would be no iron-clad assurances that the hackers would actually return access to the data. Paying, said Jensen, “would only empower a criminal group.”
‘A Business Decision’
Other ransomware victims haven’t had the luxury of taking Jensen’s hard-line approach. In many cases, the criminals’ ransom request is far smaller than the dollar value of the damage the malware has inflicted.
Some districts have been forced to weigh the ethics of paying a few thousand dollars to untrustworthy and anonymous criminals against surviving for weeks without access to lesson plans, learning software, or student records.
“Paying the ransom was not a philosophical decision, but a business decision,” said Charles Hucks, the executive technology director for South Carolina’s Horry County schools. “What’s it worth per day to not have access for our 43,200 students?”
After his district was critically hit by a ransomware attack last school year, Hucks immediately shut his servers down to stop the spread of the virus. He then urged his bosses, who oversee a half-billion-dollar yearly operating budget, to pay the nearly $10,000 ransom.
Even with the risk that the hackers would take the money and run—Hucks said officials “were horrified” the culprits wouldn’t follow through with a decryption key—the cost and time associated with laboriously rebuilding district networks from compromised backups outweighed all other considerations.
Law-enforcement agencies like the FBI generally discourage hacked organizations from paying ransoms. Special agent Bales agrees with Jensen that doing so only emboldens criminal enterprises.
But in practice, some experts and law-enforcement officials have conceded that acquiescing to the demands can, at times, be in an organization’s best financial interests.
Regardless of whether an organization decides to pay the ransom, Bales and the FBI want to hear from all ransomware victims to gather evidence. Cybercrimes can be reported to the FBI’s local field offices or its website, www.ic3.gov.
In some cases, the FBI or private industry has already found a “key” or antidote to a ransomware strain, and by reporting the attack, organizations have been able to easily recover their files.
But what if a school district, like Horry schools, can’t find a decryption key, and decides to pay the ransom?
“The criminals have an incentive to unlock the data” once they are paid, said Stephen Boyer, a co-founder of BitSight Technologies, a Cambridge, Mass.-based cybersecurity company. The criminals need a track record of victims’ getting their data back, he explained, or new targets will stop paying.
Preventing Future Attacks
That’s not to say that Boyer typically advises his clients to pay the ransom: “That’s a tough question that can only be taken on a case-by-case basis.”
Boyer also cited cases in which a ransom is paid and files are decrypted, but the malware remains in the system, allowing the hackers to come back weeks or months later.
The best defense, Boyer said, is to have strong backups in place, and have outside professionals reset the system and do a full incident report if a district network is compromised.
That was the course of action Jensen used in Montana’s Bigfork district. Bigfork’s network was backed up twice: one set of servers on-site that was compromised in the attack, and another housed by an outside vendor that was spared. It took Jensen’s technology team a week to restore all its systems and ensure the computer systems were clean.
In South Carolina, the hackers of the Horry County district came through with a working decryption key soon after the ransom was paid. Hucks was able to get the “mission critical” functions of his servers—like the district’s student-information system—back up in days.
The ultimate damage to the school system was a two- to three-week disruption and $30,000 from its budget. In addition to the ransom, the district hired cybersecurity consultants to ensure the malware had been expunged and the criminals could not come back through the same weaknesses in the network.
The Horry County attack was widely publicized in the weeks following its resolution, and Hucks was invited to testify before Congress about the ransomware threat.
For both school districts, as is common in such cases, the crimes were reported but the perpetrators went undiscovered. Like other cybercrimes, ransomware attacks can be difficult to trace. They often originate overseas, sometimes in countries that do not have extradition treaties with the United States.
That’s why more districts should be focusing on preventive measures, said Boyer, the cybersecurity expert.
His firm compiled a report that sampled the IT infrastructure of thousands of organizations in the education, government, health-care, energy, retail, and finance sectors to gauge their exposure to ransomware. It found that educational institutions and companies had the highest rate of ransomware infection.
Small technology budgets, less emphasis on cybersecurity, and bring-your-own-device policies in schools make it harder to establish uniform firewalls and contribute to the challenges of protecting ed-tech infrastructure, Boyer said.
Bales, of the FBI, agreed that districts have a lot of ground to cover: “Faculty, students, every single person who is connected to a school network is a potential liability.”
Although some of the attacks are targeted, and higher education is more at risk than K-12 systems—universities tend to have larger networks and more financial wherewithal to pay ransom demands—Boyer’s team has found the attacks are usually “more opportunistic than targeted.”
That means that rather than singling out victims, hackers might blast out thousands of emails with compromised links or attachments to thousands of organizations. That process, called “phishing,” allows hackers to prey on groups with the weakest controls and requires only a small proportion of the emails’ recipients to fall for the trap.
For hackers, “even a one percent rate can be very lucrative,” said Boyer.
The relatively small individual ransom payments add up quickly, he explained, and in addition to making it more likely that a targeted group will pay, small sums tend to draw less attention and resources from law enforcement.
The good news for harried school district technology systems chiefs? Reducing risk exposure to ransomware attacks is relatively straightforward. (See box, this page.)
“It’s not cutting-edge,” Boyer said of the standard preventive measures. “If you are doing the basic blocking and tackling of network security, your risk goes way down.”