Data Security & Remote Learning

K–12 Has Become the Most Targeted Segment for Ransomware

Malicious actors have disrupted remote learning by targeting school systems in their ransomware, malware and DDoS attacks.

• By David Nagel
• 12/11/20

The FBI and other federal security agencies released a joint report that revealed an unsettling statistic for the 2020–2021 school year: the K–12 education segment has become not only the No. 1 target for ransomware since back-to-school, but it also makes up the majority of all ransomware attacks.

According to the report, 57 percent of all reported ransomware attacks in August and September were targeted at K–12, with actors exploiting the move to remote learning to cause disruptions. That’s up from 28 percent for the period from January through July.

Ransomware is a form of malware in which the attacker gains access to the victim’s computer systems and then holds the victim’s systems and/or data for ransom. Perpetrators demand money on the threat of disabling computer systems that they’ve gained control over or releasing personal data they’ve stolen (generally private student data in the case of K–12 incidents).

The report, released Dec. 10, was created in a collaboration between the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and — in some instances — rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen — and threatened to leak — confidential student data to the public unless institutions pay a ransom.”

According to the report: “The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020 — based on open source information as well as victim and third-party incident reports made to MS-ISAC — are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.”

The FBI does not recommend paying ransoms. According to the report: “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law.”

Ransomware isn’t the only bad news for K–12.

• The K–12 segment has also been targeted for distributed denial-of-service attacks (DDoS), including third-parties providing support for remote learning.

• There have been disruptions of videoconferencing sessions, including distance learning sessions, in which attackers join and disrupt classes by harassing, sharing images that are inappropriate for a classroom or even dox members of the audience (revealing sensitive information about them publicly). The report did not quantify these incidents.

• Other forms of malware have also impacted the K–12 segment. The most popular forms of malware used against K–12 institutions this year have included Shayler (39 percent of all malware used against K–12) and ZeUs (22 percent). Shayler, the most widespread, is the only malware in the top 10 that targets macOS. The report describes it as follows: Trojan downloader and dropper for MacOS malware.It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater.” The rest of the malware on the list target Windows operating systems.

The report offers several recommendations for network and security staff, as well as end users.

Network Best Practices (bullet points verbatim from report):

• Patch operating systems, software, and firmware as soon as manufacturers release updates. 

• Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.

• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.

• Use multi-factor authentication where possible.

• Disable unused remote access/RDP ports and monitor remote access/RDP logs.

• Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.

• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.

• Audit logs to ensure new accounts are legitimate.

• Scan for open or listening ports and mediate those that are not needed.

• Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network.

• Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.

• Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

End User Awareness Best Practices (bullet points verbatim from report):

• Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.

• Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

• Monitor privacy settings and information available on social networking sites.

The complete report is freely available at ic3.gov.