Aug 27 2020

How to Protect School Systems from Ransomware Attacks

Ransomware attacks have increased in volume and speed, and their impact has become much more significant as many schools continue online instruction.

The first day of classes at Ponca City Public Schools in Oklahoma was set to start last Wednesday. Then they had a change of plans: A ransomware attack hit the school district’s servers the weekend before, pushing them to delay their opening to August 24.

The district’s learning management system, PowerSchool, suffered the attack. While no student, personnel or financial information was compromised, all their data was encrypted by the ransomware, says Superintendent Shelley Arrott in a video announcement.

Ransomware attacks continue to plague K–12 schools nationwide, and they’re not slowing down anytime soon. Since 2019, more than 1,000 educational institutions have fallen victim to ransomware, according to a report by security firm Armor. With most schools implementing some form of online instruction this school year, these attacks have only increased in volume and speed, and their impact is much more significant.

Fortunately, files were backed up on an offline external server at PCPS. The district was able to get PowerSchool back up and running fairly quickly, but they still had lost files to rebuild and restore, including 200 high school schedules, which could take weeks to complete.

“It’s not fair to our kids if we have a haphazard start,” Arrott says about their decision to delay the start of school. “PowerSchool determines our schedules, provides parent information to us. It’s going to be a challenging year as is with COVID-19.”

Ransomware Explained: How It Works

Ransomware is a type of malware that cybercriminals use to extort money from their victims. Essentially, it encrypts a user’s systems and data, which prevents them from accessing their files until they pay a ransom in virtual currency to get a decryption key.

WATCH: Find out more about ransomware characteristics and evasion techniques attackers are using.

School districts, in particular, are easier targets for ransomware because they have systems that people need to access to do their daily work, says Amy McLaughlin, cybersecurity project director for the Consortium for School Networking. “If you can lock those systems up and lock people out, that makes you a valuable target because attackers know you’ve got to get your stuff running,” she says.

But how does ransomware spread? It generally starts with phishing emails containing malware-embedded attachments, explains Mikela Lea, principal field solution architect at CDW. If a user opens a malicious attachment, the malware is installed; it only takes one click for a device to get infected.

Cybercriminals also use social engineering, such as a fake password reset email, to trick users into installing malicious software, Lea explains. Besides phishing campaigns, attackers are also exploiting Remote Desktop Protocol and Server Message Block vulnerabilities.

READ MORE: These email safety practices can help schools secure sensitive information.

Once a school district is hit by ransomware, the consequences are grave. It takes an average of 10 days for schools infected with ransomware to restore their systems, not including the time needed for full recovery and investigation, Lea says.

Moving to a remote environment has exposed schools to greater risk. For example, more students and teachers are using cloud storage applications like Google Drive and Dropbox to upload and share documents, making it easier for malware to spread, says Stephen Manley, chief technologist at Druva, a data protection and management company.

“It’s a really strong attack vector for ransomware,” Manley says. “Someone might put something into a shared drive, and everybody would simply trust it because they’re part of the same team or class. But then, when they open that document, it might be infected with ransomware, and it could spread throughout their system.”

Amy McLaughlin, CoSN
If you can lock those systems up and lock people out, that makes you a valuable target because attackers know you’ve got to get your stuff running."

Amy McLaughlin Cybersecurity Project Director, Consortium for School Networking (CoSN)

Gerald Beuchelt, CISO at LogMeIn, says the impact of ransomware attacks on schools is even more serious today because they’re more reliant on digital tools and IT. “Any kind of disruption to their systems or the systems students use to access information or participate in conference calls would really result in them not being able to deliver education,” he says.

Manley adds that ransomware attackers today are not only encrypting data but also copying it and threatening to post it publicly. It’s a big concern for many schools, especially those recording online classes for students who are unable to participate. “That’s a lot of student interactions — potentially personal information shared during those classes,” he says. “If that data gets pulled by ransomware attackers, the fact that they encrypted it and you can’t get it back is bad. But the fact that they have private information about all of those students is much, much worse, especially if they post it.”

DISCOVER: Learn how to protect data in a shifting security landscape.

5 Tips for Protecting Online Classrooms from Ransomware Attacks

Unfortunately, some school districts still haven’t elevated their concern for ransomware attacks, Manley says. So, what steps can they take now to change that mindset? What can they do to protect students, teachers and the rest of the school community from growing threats in this new learning environment? Here are a few best practices to consider:

  1. Backup your data. It’s important for schools to assume bad things will happen, even if they think it won’t happen to their school, Manley says. That’s why having backups is crucial — it’s better to be safe than sorry. He suggests storing backups offsite so they don’t get infected if a ransomware attack hits a school’s environment.

  2. Implement a strong identity management strategy. Schools can no longer just rely on traditional firewalls and virtual private networks, Beuchelt says. They need to start treating identity as a key element for protecting their perimeter. “The perimeter around your resources is really no longer that big wall that you put on your network to make sure everyone is protected,” he says. “Instead, it’s the proper identity management of users, which includes proper lifecycle management, authorization and authentication.”

  3. Consider automation. Automating systems can also help IT teams save time while staying ahead of detecting and preventing cyberthreats, especially if the data can live anywhere. “If someone on your IT team is babysitting the protection every day, it’s not going to work,” Manley says. “You’re going to have parents and students with access issues and teachers wanting to try new applications and new tools. So, as an IT team, you’re going to be losing all the time.”

  4. Scan and wipe. Manley encourages IT teams to use software to scan for personally identifiable information. This will flag sensitive and high-risk information, such as social security numbers and health records, to ensure that data is in the most secure place. IT teams should also consider tools that can identify misconfigurations and vulnerabilities. Finally, as more school districts distribute devices to students, they’ll need remote wipe, a capability that comes with mobile device management solutions. Remote wipe can track where devices are and erase data on those devices remotely if they are stolen or lost.

  5. Have the basics covered. “It’s often the basics where things fall apart,” Beuchelt says. At the very least, schools patch against classic vulnerabilities. They should also configure their systems and devices properly to prevent an attacker or automated malware from escalating privileges and causing harm to their environment, he says. Cybersecurity education is also crucial, especially with students and teachers using school-issued devices from home and accessing software and applications outside the school’s network. Additionally, encrypting sensitive data should be standard because it prevents unauthorized users or bad actors from accessing that information, Manley says.

“Getting the basics right is absolutely critical,” Manley says. “You can have all of that brilliant stuff on the back end, but if somebody leaves the front door wide open, it’s not much.”

MORE ON EDTECH: How can administrators and IT leaders get on the same page about security?

paitoonpati/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT