California Schools Face Rising Ransomware Threats
Sixth-grade teacher Hilary Hall had just started teaching one Monday morning in September when her teacherâs group chats at Newhall School District exploded with confused messages. Teachers in the Santa Clarita school district â located just north of Los Angeles â were panicking.
While Hall had no issues logging onto her computer from home, many of her colleagues, connected to the school districtâs server, were met with a mysterious pop-up message.
It said users wouldnât be able to log into the server.
People turned to Hall, co-president of the districtâs teacherâs union, for information, but she didnât know what was going on, either.
A few minutes later, an answer arrived via phone call from each gradeâs head teacher: The school district, all 10 schools representing under 6,000 children, had been hit with a ransomware attack. All teachers were instructed to log off immediately.
âRead a book!â Hall told the kids in her class, trying to think of educational activities on the spot as she quickly logged off.
Experts interviewed by CalMatters â including researchers, cybersecurity companies, IT employees and the FBI â all agree the number of cyberattacks has increased over the pandemic. Many believe the number of attacks on the education sector has also increased, but itâs an area so new to cybercrime that thereâs virtually no comprehensive data on it.
California schools, colleges and universities have scrambled to adjust. In the past five years, more than two dozen California school systems have been targeted, from Rialto Unified School District in San Bernardino to Stanford Universityâs School of Medicine.
Prior to the ransomware attack last September, Newhall had implemented what experts consider common sense security measures like internal firewalls to prevent malicious software from affecting entire systems. A few times a year, the IT department even sent students and employees fake âphishingâ emails â deceptive emails enticing users to click on malicious links or reveal sensitive information â to see if they would click on suspicious links that could compromise their networks.
But none of these efforts stopped cybercriminals from attacking the districtâs computer systems and rendering over 6,000 elementary school students and teachers without normal school for a week.
âWhen we heard that it was ransomware, it was almost like, âAre we in a movie?â Like, what in the world?â Hall said.
How Ransomware Attacks Work
Ransomware attacks use a specific type of malicious software to encrypt files on computers connected to the Internet, essentially locking out organizations from accessing their files. The cybercriminals then demand a ransom to decrypt the files.
Sometimes, these attacks are âdouble-pronged,â meaning the criminals will threaten to sell (or when thereâs potential for blackmail, release) sensitive information in order to provide an extra incentive for fast payment. Coveware, a well-known Connecticut-based ransomware recovery firm, found that 77% of ransomware attacks threatened to leak data in the first quarter of 2021.
Emsisoft, a New Zealand-based software company, expects these data theft attacks to double in 2021, with cybercriminals finding more ways to make stolen data useful in extracting a ransom.
The FBIâs Internet Crime Complaint Center, which tracks complaints of cybercrimes (not just ransomware), said it received 791,790 complaints in 2020, a 165% increase from 2016. The complaints only reflect crimes reported to the FBI, so the actual number in any given year is larger.
And as COVID-19 forced many organizations, from schools to huge corporations, to move even more of their systems online, cybercrime increased, said Ronald Manuel, a supervisor on the FBIâs Los Angeles cyber task force.
Schools and universities confronted an unprecedented increase in attacks.
In 2020, cybercriminals attacks affected at least 1,681 schools and universities across the country, according to research by Emsisoft. In 2019, only 89 were attacked with ransomware, although over 1,000 more were potentially affected. These numbers represent a minimum of ransomware attacks, Emsisoft said â there are no federal reporting requirements.
Seculore Solutions, a software company based in Maryland, has recorded 122 cyberattacks in California across the public safety, government, medical and education sectors since 2016. At least 26 of those cyberattacks have targeted California school districts, colleges and universities, including the University of California, Sierra College, College of the Desert and Visalia Unified School District.
If the data on cyberattacks seems sketchy and incomplete, thatâs because it is. Nick Merrill, a cybersecurity researcher at UC Berkeley, said he doesnât know of an archive for cyber attacks in California. âBut if you find one, please let me know,â he wrote in an email to CalMatters.
While itâs ultimately a mystery how ransomware crews pick their specific targets, the education sector is vulnerable for a few reasons, according to multiple experts. Tight budgets prevent them from having the resources to stop cyberattacks. Unique characteristics â like an open WiFi network â make schools particularly vulnerable. And they are also dependent on their online systems: They wouldnât be able to function without grading systems or other file-sharing software.
âTheyâre essentially low-hanging fruit,â said Andrew Brandt, a malware researcher with SophosLabs.
Schools could also be a quick and easy payout for âransomware crewsâ who make a living off of these attacks, Merrill said. Experts believe that many of these cybercriminals are located in Russia or the former USSR, where ransomware is a lucrative business in an otherwise depressed economy.
âThere are a lot of them, so you can keep hitting these (schools and colleges) all across the U.S., all across maybe even the world, and you can get a pretty consistent payout every time,â Merrill said.
But while ransomware attacks are increasing in schools across California and the country, key players are struggling to play catch-up. School administrators, experts and government officials are having different conversations, if any at all.
Do you pay ransomware attackers or not?
The week of the ransomware attack at Newhall School District, teachers uploaded videos to the school districtâs website as a form of makeshift online school. All students in the district watched the same videos. Hall said some of her students felt that week was âa bit of a waste,â because the lesson plans were so generic. She said teachers felt guilty about âleaving our kids stranded without our support.â
Meanwhile, the districtâs four person IT department was working overtime. The districtâs 310 teachers were at a standstill until the systems were online and ransomware-free.
Experts believe that many of these cybercriminals are located in Russia or the former USSR, where ransomware is a lucrative business in an otherwise depressed economy.
Luckily, the district had purchased cyber insurance a few years back. Its insurer â Alliance of Schools for Cooperative Insurance Programs â contracted with Alvaka, an advanced network services and security company, to help retrieve files, according to one Newhall administrator. District officials would not say if they paid the ransom or not. Doing so would be considered controversial; The FBI advises against paying ransoms.
But Superintendent Jeff Pelzel did say teachersâ intellectual property â their lesson plans â were taken into consideration.
âOf course, the FBI doesnât want anyone to pay anything for the ransom,â Pelzel said. But if you put a dollar value on the time it takes to make lesson plans, some of which have been developed over a decade, it can become difficult to decide whether to pay or not. âIt would be devastating for staff,â he said.
By the next week, students and teachers were able to access their online classrooms again. Within a few months, most of the districtâs other programs and servers were running.
Newhall has since upped its cybersecurity efforts: more frequent phishing exercises, required cybersecurity training for every employee, more operations in the cloud, and two-factor authentication for administrators, among other measures.
Ransomware protocols for schools still evolving
A couple of months after the ransomware attack, Newhall applied for an exemption from the California Department of Education to add days onto the end of the school year. These are typically granted for school shootings, wildfires and other emergencies where students had missed days of quality instruction from school.
But the department initially denied Newhallâs request, only to reverse itself about half a year later. Cyberattacks did not meet the stateâs criteria and it took months of advocacy from Pelzel to reverse the decision.
Pelzel has said the federal government should fund cybersecurity for all school districts. He also called for a crisis manual for ransomware attacks, similar to crisis procedures for active shooters and earthquakes.
âIn general, we live in a society where governments are reactive rather than proactive,â Walters, president of Newhallâs school board, said. âIt takes usually some sort of disaster for people to take a hard look at what needs to be improved. California is frankly, behind â¦ but eventually (it shows) a history of catching up.â
Trade organizations â including the California School Boards Association and Association of California School Administrators â donât offer cybersecurity resources or guidance and directed CalMatters to the California Department of Education.
But the department started working on cybersecurity for schools just recently.
Mary Nicely, the departmentâs point person for cybersecurity efforts, said she was tasked with working on cybersecurity just a few weeks ago, although the departmentâs data management team had previously provided resources to help schools understand digital literacy.
âWe canât say, âHey, everybody put your money into cybersecurity or allocate this much of your budget to that,ââ Nicely said. âThose are individual decisions of the school districts. I think we should be giving more guidance in that area. I donât think (the California Department of Education) has done that in the past.â
Copyright 2021 KQED