The K-12 education sector has long been a target for cybercriminals, but this year has seen the sector targeted more aggressively by threat actors. 2020 has seem a major increase in attacks involving ransomware and malware, phishing incidents have risen, as have network compromises and distributed denial-of-service (DDoS) attacks.
This December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a warning to the education sector after the massive increase in cyberattacks was identified.
Data from the Multi-State Information Sharing and Analysis Center (MS-ISAC) shows a substantial increase in ransomware attacks on K-12 schools. In August and September 2020, 57% of all reported ransomware attacks occurred at K-12 schools, compared to just 28% from the year to July.
Ransomware attacks renders essential systems and data inaccessible which can cause serious disruption to learning, especially at a time when many schools have transitioned to distance learning. K-12 schools often have little choice other than paying the ransom, and many do. Figures from the Department of Education show that between 2016 and 2017, 60% of schools attacked with ransomware paid the ransom to recover their data. A recent Department of Education alert to K12 schools called for a collective effort to ensure that all data is regularly backed up and advised schools not to pay the ransom demands if attacked. The DoE wants to send a message to ransomware gangs that attacks on the education sector are not financially viable.
Similar tactics have been used in ransomware attacks on K-12 schools that have been used to attack business and industry targets. Access to networks is gained, the attackers move laterally to identify data of interest, and exfiltrate that data prior to encrypting files. The attackers threaten to publish or sell sensitive student and employee data if the ransom is not paid.
Several ransomware gangs have stepped up attacks on K-12 schools, including REvil, Nefilim, Ryuk, and AKO. The Maze ransomware operation, which has now been shut down, has also conducted several attacks on K-12 schools in 2020.
The CISA/FBI alert also warned of an increase in Trojan malware and phishing attacks on K12 schools since the start of the school year. The ZeuS banking Trojan has been commonly used in K-12 school cyberattacks and the Shlayer malware downloader has also proven popular. Those two Trojans account for 69% of malware attacks on K-12 schools in 2020.
The increase in attacks in 2020 has been attributed to the ease at which K12 schools can be attacked. Many K-12 schools have transitioned to distance learning and have had to do so in a hurry to ensure student learning was not disrupted by the pandemic; however, that has meant cybersecurity gaps have been created which leave schools vulnerable to attack.
In addition to conducting phishing attacks on staff and students, vulnerabilities in software and remote learning solutions are also commonly exploited. Since the sector has a limited budget for cybersecurity, these vulnerabilities often persist for some time before being addressed, giving cybercriminals and easy entry point into K-12 school networks. It is also common for software to continue to be used after it has reached end of life.
The K-12 Cybersecurity Act of 2019 has been introduced which requires CISA to work with federal departments and the private sector to identify sector-specific cybersecurity risks and make recommendations to K-12 schools on how they can improve their security posture. The Act also calls for CISA to make tools and resources available to help the sector improve cybersecurity; however, the legislation is yet to be passed by Congress.
These cyberattacks on K-12 schools are likely to continue at elevated levels well into 2021. While budgets may be already stretched, it is important for defenses to be improved. The cost of improvements to cybersecurity defenses is likely to be far lower than the cost of dealing with a ransomware attack and costly data breach.