Hackers used to focus their ransomware attacks primarily on taking money from corporations’ deep pockets, but they’ve recently been targeting schools and municipalities.

“Why is that so? Well, you possess an enormous amount of personal data – birthdates, social security numbers, direct deposit, banking information, credit card information – all of that you have about not only your employees, but your students and their parents,” said Rob Haws, a partner at Gust Rosenfeld PLC law firm, who specializes in education law and labor and employment.

Schools keep that data for a long time, their IT equipment and operators are not always state of the art and they “have budgetary constraints that impose some limits on correcting either of those concerns,” and that’s “why schools are becoming more and more of a target in this area,” Haws said during a breakout session at the Arizona School Boards Association Law Conference in Phoenix on Thursday, Sept. 5, 2019.

Video shot by Brooke Razo/AZEdNews and edited by Angelica Miranda/AZEdNews: What schools should do if they’re the victim of a cyberattack

How do hackers access this information? Schools “have multiple access points that you need to be mindful of as we move to more and more online activity, whether it’s registering for classes or grading or payments,” Haws said. “All those online options create a convenience for sure, but also create risks of bad people being able to access this stuff.”

But school districts and their IT departments can build awareness among staff and increase their understanding of what to keep an eye on and what to look out for, said Brad Sandt, founder and president of K12itc, a company that focuses on managing technology for schools.

“We have people trying to attack us every day,” Sandt said at the law conference. “As we continue to put in additional layers of security, it’s going to impact users, but each additional layer – each key piece of security – will add that much additional defense and protection in reducing risk.”

How ransomware affected Flagstaff Unified School District

About two weeks after Flagstaff Unified School District notified parents, staff and students that they were affected by the Pearson data breach, the district cancelled classes for two days to examine every school, staff and student device in response to “a ransomware event,” said Zachery Fountain, communications director for the district that serves more than 9,800 students it serves in Coconino County.

Ransomware is a form of malware that requests payment in currency or bitcoin before hackers might possibly consider restoring partial or full access to affected computers, devices or networks and the encrypted data or information on them.

“We received information from a school district that one or more of its employees was targeted through their district email account,” said an Arizona Auditor General’s Office bulletin sent out Sept. 12, 2019.

“The specific malware or ransomware that was used in the Flagstaff situation is called RYUK. It’s similar to many others that are used,” said Haws, who noted that The Arizona School Risk Retention Trust, Inc. uses himself and Gust Rosenfeld when something like this occurs.  

Once a ransomware email is opened and the links inside it are clicked on, “it lays dormant for a little while, while the bad guys are doing what bad guys do. And then after a little while, the bomb goes off, and all of your data then becomes encrypted,” Haws said.

“You then lose access to all your email, to all your documents, to all your Excel, PowerPoint and Word documents – things like that – unless you pay a ransom in bitcoin to the bad guys with the hope that they will then unencrypt the data. That is essentially the situation that is happening here,” Haws said.

Flagstaff Unified’s Technology Director Mary Knight said the district did not pay a ransom and would not consider doing that, in an Associated Press and ABC 15 Arizona story.

The Trust will not pay a ransom, “that’s not part of your coverage,” Haws said.

“A breach insinuates that somebody went in and took information off of your servers or your computer. That did not happen. We responded way too quickly for that to happen,” Fountain said in an interview with AZEdNews.

After the district discovered the attack on Wednesday, Sept. 4, 2019, they cut off access to the internet, investigated the incident and the possible damage, cancelled classes Thursday and Friday scanned all staff, district and student devices and installed new malware protection.

“We had staff from across the district that we mobilized, and we touched every single Windows laptop and desktop computer in the course of 72 hours,” Fountain said.

Students and teachers returned to school on Monday, Sept. 9, 2019.

“The big thing I would say is that it’s the preparation on the front end that is important to survive these types of events,” Fountain said.

“We’re very fortunate that our IT team took a proactive approach. They had a plan in place. They had procedures, and they were really able to secure things,” Fountain said.

What to do during a cyberattack

Cyberattacks of schools are becoming more common and more frequent, said Sandt, who served as an IT director in a school district for about 14 years before founding K12itc.

“It’s not a matter of if, it’s a matter of when. The key is being prepared and knowing what to do,” said Sandt, whose company often work with schools when it comes to these types of threats.

Related story:
AZ students, schools affected by Pearson data breach

If schools think they’ve been a victim of a cyberattack, they should unplug the affected system, take it offline, and power it down to minimize the spread and the damage, Sandt said.

Since the mid1980s the number of cyberattacks, the number of viruses and their complexity has risen exponentially, but the spending by most organizations, including schools, on resources  to implement strong security has not kept up, Sandt said.

School districts need a layered approach that identifies and protects data and sensitive systems, puts procedures and policies in place that enhance security and take steps to restrict people’s access to just what they need to do their jobs, and a process to examine if the IT system has been attacked or breached, Sandt said.

School districts also need to make sure that anti-virus, anti-malware and system patches are updated regularly, Sandt said. Schools will often ask to shut down updates or patches on carts of Windows student machines, saying it impacts the educational process, but “you have to patch those systems, because those vendors are doing the hard work to make sure that they protect you from these incidents,” Sandt said.

School districts also should consider self- and third-party risk assessment, put potential solutions in place, and test those solutions often.  

“It’s not like you do this once, and all of a sudden you’re fixed. This is something that has to be a common, recurring process to be able to defend against changing threats,” Sandt said.

School districts need a cyberattack response plan that includes – “Who’s involved? Do they know the process? And are they ready to act when something happens? Because time matters, particularly when we’re talking about isolating an attack or the impact of such an event,” Sandt said.

Educating teachers, other district staff, and students about using strong unique passwords, not clicking on links in emails from unfamiliar senders and other threats is critical as well, Sandt said.

“If I can get you to download an email attachment with a zip file,  get you to open it and you launch it, what you’ve just done is create a back door into your network right through your firewall and your firewall doesn’t do anything,” Sandt said.

Recovering from ransomware or malware takes time, Sandt said.

“If it’s a malware breach, for an example like Cryptolocker, you have to restore your servers,” Sandt said. “You may have backup for your servers, but most users if they’re storing something on their desktop, those files aren’t backed up. If that device is encrypted that now means that you may have to touch 1,000 or more devices to get them back up and online.”

“While your servers with good backup procedures might be able to be up and back online within 12 to 24 hours, you may have another two weeks of getting every system back online,” Sandt said.

 That’s why backups are critically important, Sandt said.