FBI, CISA, State Leaders Warn Schools About Ransomware Threats

Federal agencies joined the Multi-state Information Sharing and Analysis Center in issuing an advisory to the education sector that suggests institutions pay closer attention to their cybersecurity as demand for remote learning environments continues.

“Malicious cyber actors are targeting kindergarten through twelfth-grade educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services,” reads an advisory the MS-ISAC released Thursday along with the FBI and the Cybersecurity and Infrastructure Security Agency. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year.”

The advisory acknowledged resource limitations for K-12 schools but said it would be wise for educational leadership, information technology and security personnel to revisit their risk calculations when determining cybersecurity investments.

According to data kept by the MS-ISAC, of all ransomware attacks reported from January to July, 28% involved K-12 schools. In August and September, that number was 57%. 

“In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning,” the advisory reads. “Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.”

The advisory flagged the most common ransomware variants used in the attacks, as well as distributed denial-of-service attacks and tactics used in video conference disruptions. 

“To enter classroom sessions, uninvited users have been observed using student names to trick hosts into accepting them into class sessions, and accessing meetings from either publicly available links or links shared with outside users,” the advisory warns.

The agencies listed mitigations for each vector and best practices for avoiding the attacks and attempted to explain the rationale behind the perpetrators targeting students.

“Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology services,” the advisory states. “The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp usership growth in—these distance learning services and student data as lucrative targets.”