The ransomware attack targeting Haywood County Schools is a case of bad luck in a growing problem faced by school districts across the country.
“Those targeted often think ‘It must be us, it must be something we did wrong.’ But it could have happened to anyone,” said Doug Levin, a cyber security expert of EdTech Strategies. “It is not a question of if incidents like this will happen, but when.”
Hackers hitting school systems was on the uptick even before COVID, with 348 publicly-disclosed school cyber incidents in 2019 — triple the previous year. Here in the mountains, Burke County Schools was targeted in early March.
“The technology team worked nonstop, including weekends, to restore service,” said Cheryl Shuffle, spokesperson for Burke County Schools.
Burke was hit a week before schools closed due to COVID, and the school system had to delay the start of remote learning for two weeks as a result.
“After the governor closed schools, we had some breathing room,” Shuffle said. “The cyber threat created inconveniences and the loss of some documents and data, but no sensitive information was compromised.”
Louisiana had so many schools get hit last year, the governor issued a state of emergency.
With schools resuming the year under remote learning models, their reliance on digital technology makes them even lower hanging fruit — primarily because they can’t afford to have computer systems down.
“They would feel under a lot of pressure to get them back up, so there’s a temptation to pay the ransom to get it fixed easily,” Levin said.
The FBI even issued a warning this summer for school systems to be on guard.
“Cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic,” the FBI warning state in June.
The Mountaineer asked Levin to describe how ransomware attacks targeting school systems work and how they typically play out.
Why would cyber criminals target schools?
“This is a particularly tough time of year. There is very little tolerance for not having your system running. I think they know the school year is starting so there’s more pressure,” Levin said.
“We started to see cases where the governments and school districts were paying the extortionists to get back to business again. When criminals find a scheme that works for them, they repeat it against other targets that might fall for the same scam.”
Why did they chose Haywood County Schools?
The hackers aren’t out to get Haywood County in particular.
“They just want to get paid,” he said.
Hackers are simply searching for servers that are a match for their particular exploit, or it could have originated with a corrupted email inadvertently opened by an employee. There’s a good chance the hackers are international. They seek payments the form of untraceable crypto currency.
“The odds of law enforcement being able to get them are low.”
When does it make sense to pay the ransom, versus try to recover by rebuilding your system?
“No one in law enforcement will suggest you should pay. That’s because these are criminals. They will probably do really bad things with the money, and it will encourage them to go after others.”
Are you guaranted to get your servers and data back if you pay, or could the cyber attackers just walk with the money?
Ransomware typically encrypts or scrambles files on your server making them unusable.
“What you are negotiating is the price for the key to unscramble it. When people pay, they tend to get access back to their systems. But sometimes the key doesn’t work. So you are definitely taking a chance.”
Are you better off trying to get rid of the ransomware and recover on your own?
“The issue is making sure the ransomware is gone,” Levin said.
Some entities that didn’t pay and tried rebuilding on their own have ended up infected again.
“Either their backups were infected, or they didn’t really clean up the infection in the first place, and it reattached to the network and just started up again. They really need to figure out where it target and how it spread. Otherwise you can get in a cycle of all this work to restore it and get infected again.”
Doug Levin is the President and Founder of EdTech Strategies, a consulting and advocacy firm for cybersecurity issues facing educational institutions. He hosts the K-12 Cybersecurity Resource Center online at k12cybersecure.com, including a map of cyber attacks against school systems.