K–12 Has Become the Most Targeted Segment for Ransomware

Malicious actors have disrupted remote learning by targeting school systems in their ransomware, malware and DDoS attacks.

The FBI and other federal security agencies released a joint report that revealed an unsettling statistic for the 2020–2021 school year: the K–12 education segment has become not only the No. 1 target for ransomware since back-to-school, but it also makes up the majority of all ransomware attacks.

According to the report, 57 percent of all reported ransomware attacks in August and September were targeted at K–12, with actors exploiting the move to remote learning to cause disruptions. That’s up from 28 percent for the period from January through July.

Ransomware is a form of malware in which the attacker gains access to the victim’s computer systems and then holds the victim’s systems and/or data for ransom. Perpetrators demand money on the threat of disabling computer systems that they’ve gained control over or releasing personal data they’ve stolen (generally private student data in the case of K–12 incidents).

The report, released Dec. 10, was created in a collaboration between the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and — in some instances — rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen — and threatened to leak — confidential student data to the public unless institutions pay a ransom.”

According to the report: “The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020 — based on open source information as well as victim and third-party incident reports made to MS-ISAC — are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.”

The FBI does not recommend paying ransoms. According to the report: “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law.”

Ransomware isn’t the only bad news for K–12.

  • The K–12 segment has also been targeted for distributed denial-of-service attacks (DDoS), including third-parties providing support for remote learning.

  • There have been disruptions of videoconferencing sessions, including distance learning sessions, in which attackers join and disrupt classes by harassing, sharing images that are inappropriate for a classroom or even dox members of the audience (revealing sensitive information about them publicly). The report did not quantify these incidents.

  • Other forms of malware have also impacted the K–12 segment. The most popular forms of malware used against K–12 institutions this year have included Shayler (39 percent of all malware used against K–12) and ZeUs (22 percent). Shayler, the most widespread, is the only malware in the top 10 that targets macOS. The report describes it as follows: Trojan downloader and dropper for MacOS malware.It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater.” The rest of the malware on the list target Windows operating systems.

The report offers several recommendations for network and security staff, as well as end users.

Network Best Practices (bullet points verbatim from report):

  • Patch operating systems, software, and firmware as soon as manufacturers release updates. 

  • Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.

  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.

  • Use multi-factor authentication where possible.

  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.

  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.

  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.

  • Audit logs to ensure new accounts are legitimate.

  • Scan for open or listening ports and mediate those that are not needed.

  • Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network.

  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.

  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

End User Awareness Best Practices (bullet points verbatim from report):

  • Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.

  • Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

  • Monitor privacy settings and information available on social networking sites.

The complete report is freely available at ic3.gov.

Featured

  • glowing digital human brain composed of abstract lines and nodes, connected to STEM icons, including a DNA strand, a cogwheel, a circuit board, and mathematical formulas

    OpenAI Launches 'Reasoning' AI Model Optimized for STEM

    OpenAI has launched o1, a new family of AI models that are optimized for "reasoning-heavy" tasks like math, coding and science.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • clock with gears and digital circuits inside

    Report Estimates Cost of AI at Nearly $300K Per Minute

    A report from cloud-based data/BI specialist Domo provides a staggering estimate of the minute-by-minute impact of today's generative AI boom.

  • glowing lines connecting colorful nodes on a deep blue and black gradient background

    Juniper Intros AI-Native Networking and Security Management Platform

    Juniper Networks has launched a new solution that integrates security and networking management under a unified cloud and artificial intelligence engine.