Oct 17 2022

Held for Ransom: What Schools Need to Know Before a Ransomware Attack

Ransomware is targeting K–12 districts across the country. Here’s what IT leaders should prepare for in the event of an attack.

For the past two years, ransomware attacks have been on the rise in K–12, and districts are struggling to keep up. Ransomware can be debilitating to districts and can impact the availability of services to educate students. Ransomware encrypts targeted systems, rendering files and applications useless. Having encrypted a district’s data, cybercriminals demand a ransom to decrypt the files. In the past, that would have been the end of the attack. The school could choose to pay and retrieve the data or not.

Now, K–12 institutions have better backup and recovery mechanisms in place. It takes less time to recover from an attack than in years past — what might have taken months or years to achieve is now possible in weeks, days or even hours. As a result, institutions don’t feel compelled to pay ransom because they can restore the encrypted data themselves.

Ransomware threat actors are evolving in response to this and have become more deliberate in their attacks. In the past, threat actors would “spray and pray” against all manner of organizations, hoping some would pay the ransom. Today, ransomware has evolved to create a double extortion for afflicted districts: After achieving domain admin within the environment and finding the “crown jewels,” attackers will exfiltrate the data and then encrypt. Encryption is the final step in a prolonged compromise.


This creates a predicament for schools because the data may contain extremely sensitive information. Schools store staff and student addresses as well as other personally identifiable information that they have a responsibility to protect. The release of this information could put students at risk and potentially expose districts to lawsuits and penalties.

Should School Districts Pay the Ransom in a Ransomware Attack?

Unfortunately, there’s no simple answer to whether schools should pay up in response to a ransomware attack.

The decision to pay is usually determined by a district’s cybersecurity insurance and legal counsel. When a district is hit with an attack, the insurance company will often provide legal support and coaches who work with the school as they make any required breach notifications. Then, the insurer will determine whether the district should pay the ransom. This calculus depends on the nature of the data exfiltrated and encrypted, whether the threat actor is a sanctioned entity, and more.

There is no guarantee for schools that the data will be released even if they pay. Threat actors differ in how they handle the return of data after a breach. However, ransomware is a trust-based economy. If a district pays and the criminals don’t decrypt the files, they’re less likely to be paid by the next target.

Schools should be aware that returned or decrypted files may be corrupted. So, even if a district gets its files back, there may be missing or inaccessible information.

Click the banner to explore incident response resources from the experts at CDW.

How Can Schools Avoid Paying a Ransom for Their Data?

The best protection against ransomware is a combined approach. Schools should consider prevention, detection and response controls — a mix of security tools backed by policies and procedures. Schools should have good preventive measures at endpoints and the perimeter, as well as strong identity management within their IT environment.

Detection and logging can help schools identify a breach before files are exfiltrated and fully encrypted. If compromise is detected, IT admins can isolate the incident before it becomes a full-blown ransomware attack. Districts with limited resources and IT staff should consider engaging a Security Operations Center as a Service for continuous monitoring.

An incident response plan and playbooks will help IT teams and admins react to potential attacks without panicking. A proper IR plan with threat-specific playbooks, printed and accessible, can speed up response and help the IT team work through incidents effectively and efficiently.

Tabletop exercises conducted with the technology team, superintendents and school principals will ensure everyone is on the same page. It’s important to include school administrators in incident response because they’re the ones who will work with the lawyers and insurance companies to make the critical decisions about ransom requests.

This article is part of the “ConnectIT: Bridging the Gap Between Education and Technology” series. Please join the discussion on Twitter by using the #ConnectIT hashtag.

[title]Connect IT: Bridging the Gap Between Education and Technology

Oleksii Syrotkin/Stocksy

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT