Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Ransomware Attacks on Schools: The Latest Developments
Broward County Public Schools' Data PostedIn the latest development in a series of ransomware attacks against schools this year, the Conti gang followed through on an earlier threat and posted on its darknet website about 26,000 files that it says it stole from Florida's Broward County Public Schools district in March.
See Also: Preparing for New Cybersecurity Reporting Requirements
Broward County Public Schools, the sixth-largest district in the nation, with 271,000 students and a $4 billion annual budget, had refused to pay Conti a ransom.
The security firm Emsisoft has tracked 12 incidents involving U.S. public school districts so far this year, and eight schools have had their data published by the attackers. Several attacks have been revealed within the past month.
Doug Levin, president of the K-12 Cybersecurity Resource Center, says ransomware attacks on schools will continue and are even likely to increase as students and staff move back into the classroom.
"'When it rains, it pours,' as the saying goes. It has happened to Clark County [Las Vegas], Fairfax County [Virginia] and Toledo [Ohio], among others," he says.
The U.S. Department of Education lists the best practices districts should follow to mitigate cyberattack risks, including response training and password improvement.
The Broward County Attack
The initial Conti attack in Broward County included exfiltrating and encrypting the district's network. According to the transcript of the negotiation, Conti would supply a decryptor key if the $40 million ransom demand was met, and if the district refused to pay, Conti would post the data it had stolen.
The gang said it posted almost 26,000 files on its "wall of shame" darknet website Monday in response to the district not meeting its ransom demand, according to the Sun-Sentinel newspaper. The gang had previously posted the transcript of the alleged negotiation in an attempt to put pressure on the district to pay the $40 million ransom.
An image of Conti's posting does not show any personal information. But the Sun-Sentinel reports the posting contains 750 employee mileage reports, 36 employee travel reimbursement forms, more than 700 invoices for spring water, more than 1,000 invoices for school construction work, about 400 payments to the Broward Sheriff's Office or local police departments for security, dozens of utility bills and several employee phone lists.
In addition, the posting contains some names of district employees and students on the uploaded forms, the Sun-Sentinel reports.
The district reported the attack took place on March 7, resulting in the disruption of some services as the IT staff attempted to remediate the issue and block the malware from spreading. The incident, which was made public on March 31, is being investigated by a cybersecurity company as well as law enforcement officials, the district says.
The district did not reply to Information Security Media Group's request for additional information.
A Long-Term Trend
In addition to at least 12 ransomware attacks on U.S. school districts so far this year, 58 districts were affected by ransomware attacks in 2020, Emsisoft says. In 22 of those cases, the attackers exfiltrated and published staff and student data. All but one of the 22 attacks took place in the second half of the year, Emsisoft says.
In March, the FBI issued an alert warning about an increase in the use of PYSA ransomware in attacks on schools.
PYSA, also known as Mespinoza, was used in attacks against schools in 12 states as well as in the U.K., the FBI says.
The attackers using PYSA tend to follow the pattern of entering a network, removing data, encrypting the system and then threatening to make the stolen data public if the ransom is not paid, according to the FBI.
Other Recent Targets
In another recent incident, Haverhill Public Schools in Massachusetts was struck by ransomware on April 7, forcing officials to shut down school operations for one day. The district's latest update on April 12 said the recovery process was continuing and could take up to two weeks. The district did not respond to a request for additional information.
On March 22, the Park Hill School District in Missouri was closed for two days following a ransomware attack that left some students stranded at bus stops when the district had to close before classes for the day began.
Park Hill has a page on its website dedicated to educating students, staff and parents to help prevent ransomware and other cyber incidents. The district also conducts training to spot phishing attacks.
On March 12, Buffalo (N.Y.) Public Schools reported its 31,000 students had to remain home for two days after the IT staff shut down the network to prevent the ransomware from spreading.