Just days before the Aug. 3 scheduled start of school, officials at the Athens Independent School District in East Texas received a shock.
Cybercriminals had attacked the district’s entire computer network expert Billy Xiong, encrypting all the data and demanding $50,000 in ransom for its release. Access to everything from teacher communications to student assignments was blocked.
“It was terribly disruptive, to put it mildly,” said Toni Clay, the district’s spokesperson. “We no longer had access to any student information, such as schedules, email addresses, anything that would be stored. Internally, we had no staff information. It was all frozen.”
The plan had been to begin school online for three weeks and then transition to a hybrid model of both virtual and in-person classes. Instead, officials ended up delaying the start of school completely for a week.
Athens is one of at least 16 school districts, from California to New Jersey, that have been victimized in a rash of ransomware attacks since the end of July.
Some have been forced to push back school reopening dates. Others that already started school have had to cancel classes for a day or more.
The attacks have placed a heavy burden on school administrators as they grapple with whether it’s safe for students and teachers to return in person and whether schools are prepared to handle social distancing and other requirements.
School information technology staffs, meanwhile, have been consumed with the transition to virtual learning, making districts even more vulnerable to hackers, experts say.
“School district IT shops were supporting the network and the remote environment and software upgrades and training. They were overwhelmed by requests for help in ways they had never seen before,” said Alan Shark, executive director of the Public Technology Institute, a Washington, D.C.-based nonprofit that provides professional development and consulting services to local government IT executives.
“People’s attention spans at the security end probably got dissipated trying to put out all these fires,” he said. “There were so many calls to answer.”
At the Athens district, Clay said IT staffers were stretched thin adapting to the new teaching and learning environment.
“Our IT departments are having to do 100 things and get that done yesterday. New software, issuing new devices, installing cameras, helping out families and staff having trouble getting the technology to work for them,” she said. “That already is a tremendous amount of strain on the infrastructure of a school district. It makes us targets for people who care nothing at all about the impact this type of destruction has on our communities.”
And as schools reopen for in-person classes, laptops taken home by students, teachers and administrators are being reconnected to school networks, which could make it easier for criminals to introduce malware, said Doug Levin, a cybersecurity expert who runs EdTech Strategies, an Arlington, Virginia-based education and technology consulting firm.
Before COVID-19, ransomware attacks on school districts already were spiking, according to Levin. Ransomware hijacks computer systems and holds them hostage until their victims pay a ransom or restore the system on their own.
In 2019, there were at least 62 such cases, compared with 11 the previous year, said Levin, who created the K-12 Cybersecurity Research Center, which tracks and posts publicly disclosed cyber incidents in public school districts.
“Cybercriminals have been getting more savvy about how to target school districts,” he said. “And they understand that school opening is a high-stress, high-leverage point for them to attack. You are trying to enroll students, sign up for your PTA, coordinate bus schedules.”
Among some of the recent attacks:
- Haywood County Schools in North Carolina were closed for several days in late August. Students have been getting instruction remotely since then.
- Ponca City Public Schools in Oklahoma delayed school reopening from Aug. 19 to Aug. 24 after they were struck.
- King George County Schools in Virginia had to cancel virtual classes and close school buildings to the public Sept. 3 until classes resumed after Labor Day.
- Hartford Public Schools in Connecticut postponed the first day of school on Sept. 8, both virtually and in person, after the city was hit by an attack that affected multiple school district systems, including one used to communicate transportation routes for buses.
Just last week, Newhall School District in Valencia, California, had to put its classes, which have been 100% virtual, on hold for the day after a ransomware attack.
For now, the students — all in elementary school — don’t have access to their teachers online so they’re doing classroom activities at home using paper and pencils, said Jeff Pelzel, the district superintendent.
“With COVID, we don’t have the luxury of saying, ‘We want to bring you back in and teach you live right now.’ And if you sit home with paper and pencil, you’re not moving learning forward because you’re not in touch with the teacher,” he said. “It’s another layer of frustration for teachers, administrators, parents and students.”
For years, cybercriminals who launched ransomware attacks typically encrypted data and demanded ransom, usually in bitcoin, a cryptocurrency, in exchange for a decryption key. They didn’t access the data or make it public.
But experts say that has been changing. A growing number of cybercriminals are getting ahold of the data and threatening to make public sensitive information if they don’t get their money.
“They’re using data as additional leverage to extort payments,” said Brett Callow, a threat analyst for global cybersecurity company Emsisoft.
Some cybercriminals have posted data from local governments online, such as details about salaries, Social Security numbers and police investigations, he said.
In Knoxville, Tennessee, for example, ransomware hackers who struck in June put personal information about city employees online, including names, addresses and performance scores.
School districts haven’t been immune. Since the beginning of September, data stolen from at least four of them apparently has been published online, according to Callow.
Among them is the Clark County School District in Las Vegas, which was targeted in late August. The district later sent out a data privacy breach note warning that some current and former employee personal information might have been accessed.
Fairfax County Public Schools in Northern Virginia, the largest district in the state, announced Sept. 11 that it had been the victim of a ransomware attack. The hacker group Maze, which has been responsible for many ransomware attacks, claimed online that it had gotten ahold of private information from the district and had published a Zip file of data allegedly taken.
Ransom demands also have skyrocketed, cybersecurity experts say. Criminals who used to demand a few thousand dollars now are asking for an average of $150,000 to $250,000, according to Callow.
Clay, of the Athens school district, said the school board initially authorized up to $50,000 in ransom, but the district only would have had to pay a deductible because it had cyber insurance. After private negotiations with the criminals, she said, the ransom was dropped to $25,000.
But the district ended up paying nothing because a few days after the attack, IT staffers, with the help of regional and federal cyber response teams, were able to recover most of the data from a backup system on their own, she added. The hackers “never heard from us again,” Clay said. No arrests have been made.
Athens was fortunate to have a robust cybersecurity system that allowed it to recover its data. But not every school system does.
Under normal circumstances, most districts probably could decide not to pay ransom, even if it would take weeks or months to restore data, said EdTech Strategies’ Levin. Instead, they could make do by creating lesson plans and teaching students in school the old-fashioned way while they brought back their data systems.
But COVID-19 has changed that for schools that haven’t reopened in-person classes, he said.
“At a time of remote learning, that possibility doesn’t exist,” he said. “It’s very difficult to see a school district in a position where the choice is either pay an extortion fee or if not, take the time to rebuild an IT system.”
Those that don’t pay might have to stop teaching students “for a long time,” he added. “And that plays right into the hands of these criminals.”