Today's K-12 Cybersecurity Threats — And How to Combat Them

school IT team battling cybersecurity threats

Last year was the worst on record for ransomware attacks in education. In fact, education institutions witnessed a staggering 70% surge in ransomware incidents year over year, according to recent findings. For instance, Minneapolis Public Schools experienced an attack that leaked 300,000 files and led to a $1 million ransom demand. Traditionally, these learning environments do not boast the strongest IT infrastructure, which can invite similar attacks.

As schools reconcile budgets with IT needs, oftentimes resources remain skeletal. In fact, teachers sometimes even absorb the role of security practitioners. Unfortunately, threat actors are opportunistic and will pounce with reckless abandon. As such, these ransomware incidents — cases where private networks are encrypted and their owners extorted — remain a lucrative option for threat actors. Further, what often flies under the radar in these targeted K-12 attacks is the collateral damage — the leakage of personally identifiable information (PII) of minors, or prolonged school closures during remediation.

Here, I'll analyze this threat landscape, and offer tips on how defenders can comfortably face new and emerging threats.

Complexity: The Biggest Variable

The IT and security talent gap in educational environments is worsening. In fact, 90% of school districts in a recent Center for Internet Security poll stated they have less than five employees with security-related duties. This, coupled with budget constraints and the accessible, public-facing nature of local governments, creates environments where prominent ransomware gangs can thrive. In fact, as many as 31 groups leveled attacks on the U.S. education system in the past year. Chief among them: Vice Society, recently rebranded as "Rhysida," a prominent, ransomware-as-a-service (RaaS) player that's believed to be Russia-based and disproportionately targets educational settings. In one U.K.-based incident last year, the group leaked passport scans and contractual information across 14 different schools.

Rhysida and others like them, namely LockBit, use living-off-the-land tools (or existing features or functionalities on the victim's network) to gain access to a system and then execute malicious code, install malware, or steal sensitive information.

Security teams are unable to detect this activity using signature-based detection mechanisms — as this stealthy maneuvering essentially blocks out traditional indicators of compromise.

Similar groups have been observed gaining access via phishing — the leading infection vector, identified in more than 40% of incidents — and exploiting known and zero-day, or previously undetected, vulnerabilities.

Once cybercriminals have burrowed into networks (often buying that access through internet access brokers), they can escalate privileges, move laterally, and even target backup files and security software to ensure their impact is lethal.

Closures and Other Considerations

Aside from the technological impacts of an attack — say, servers being shut down to investigate and remediate — there are also other consequences: Think of prolonged school closures or even the resulting childcare needs that closures force. Consider that the average downtime from an educational cyberattack is eight days — that's more than one week of scrambling and potentially months of investigation and remediation.

There's also the threat of double or triple extortion, or continued ransom demands made to individual victims. While the FBI urges victims not to pay ransoms out of fear the hackers may never relent, victims often feel pressured into doing so.

Suffice to say cyberattacks in this sector — which disproportionately impact U.S. and U.K. schools — can be utterly crippling.

Several Proactive Strategies

Despite the fast-moving nature of ransomware, I offer the following advice to defenders: There's still hope, and it may mean getting scrappy with existing resources. In addition to leveraging cybersecurity products and services available to them, IT teams should:

Prioritize cybersecurity as a strategic objective. To begin, cybersecurity teams can share insights and advice with educational leaders about the importance of security and measures being taken to address it. They can also team up with these leaders — who may act as a bridge to students and staff — to convey information on topics like password hygiene, multi-factor authentication (which reduces your chances of being hacked by 99%), effective Google searching, locking unused computers, exercising caution with USBs, and more. Shared resources like newsletters, blogs, articles, and white papers can help create a mutually beneficial relationship across the entire ecosystem.

Use recognition programs or gamified training modules. These should encourage and reward good security practices among students and staff. Think outside the box; lean on trusted vendors, the community, and other resources to make learning "positive." For example, one student-facing activity could be a "Cyber Defender of the Week" newsletter that's shared regularly and recognizes students with the highest scores on straightforward defensive tasks (e.g., identifying phishing).

Encourage collaboration with parents, local businesses, and cybersecurity organizations. This can help raise awareness and promote a culture of shared responsibility. For one, the aforementioned newsletters should also reach parents and other local residents, since everyone is part of a shared security ecosystem. IT leaders and their respective schools might also consider partnerships with local businesses to raise awareness or co-host in-person educational events, etc. A united front can keep attackers at bay.

Stopping Criminals in Their Tracks

The state of K-12 cybersecurity may outwardly seem bleak, but as I've said, security teams should be empowered to halt these cyber offensives. The first part of the battle will be understanding that while educational networks may ostensibly seem off-limits, across the depths of the dark web, they're simply fair game.

Defenders: Take heed of these warnings. Together, by chipping away at one security measure at a time, we can protect the integrity of student data and learning environments.

Featured

  • Abstract AI circuit board pattern

    Nonprofit LawZero to Work Toward Safer, Truthful AI

    Turing Award-winning AI researcher Yoshua Bengio has launched LawZero, a nonprofit aimed at developing AI systems that prioritize safety and truthfulness over autonomy.

  • abstract pattern of cybersecurity, ai and cloud imagery

    Report Identifies Malicious Use of AI in Cloud-Based Cyber Threats

    A recent report from OpenAI identifies the misuse of artificial intelligence in cybercrime, social engineering, and influence operations, particularly those targeting or operating through cloud infrastructure. In "Disrupting Malicious Uses of AI: June 2025," the company outlines how threat actors are weaponizing large language models for malicious ends — and how OpenAI is pushing back.

  • tutor and student working together at a laptop

    You've Paid for Tutoring. Here's How to Make Sure It Works.

    As districts and states nationwide invest in tutoring, it remains one of the best tools in our educational toolkit, yielding positive impacts on student learning at scale. But to maximize return on investment, both financially and academically, we must focus on improving implementation.

  • red brick school building with a large yellow "AI" sign above its main entrance

    New National Academy for AI Instruction to Provide Free AI Training for Educators

    In an effort to "transform how artificial intelligence is taught and integrated into classrooms across the United States," the American Federation of Teachers (AFT), in partnership with Microsoft, OpenAI, Anthropic, and the United Federation of Teachers, is launching the National Academy for AI Instruction, a $23 million initiative that will provide access to free AI training and curriculum for all AFT members, beginning with K-12 educators.