Schools Hit by Ransomware: Could it happen here? (It already has.)

“Don’t take cybersecurity for granted.”

This is what the Editorial Board of the Baltimore Sun said last week after the Baltimore County School System suffered a ransomware attack which, due to remote learning, caused classes to be cancelled for days, affecting the education of 115,000 students.

The Baltimore Sun lauded the School System’s efforts, citing a report revealing that auditors previously “found that ‘intrusion detection prevention system coverage for untrusted traffic did not exist,’” and that “students were allowed ‘unnecessary network-level access to administrative servers.”

This attack might have been a surprise to some, thinking that the local governments of Baltimore County had known better after the city of Baltimore itself was the victim of a ransomware attack just last year.

According to InfoSecurity Magazine, “The district’s website, email system, and grading system have all been impacted by the incident. It is not yet clear whether any student data was exposed to unauthorized third parties.”

The current theory is that the school system was hit by the Ryuk ransomware, which targets large enterprise organizations -- the digital equivalent of big game hunting. Ryuk is sold on internet forums and on the dark web -- so far netting the Bitcoin equivalent of $3,701,893.98. Note: the use of Bitcoin is due to the anonymity it serves consumers, even those with malicious intent.

According to Microsoft Security Intelligence, almost 10,000,000 devices have “reported enterprise malware encounters in the last 30 days.” Unfortunately, especially right now, 63% of those devices were used in the education industry.

Could this happen here in New England?

Well, it already has. Back in October, Springfield Public Schools, the third largest school system in the state, was also hit by a Ransomware attack. Like Baltimore, remote learning for the system’s students was suspended. The district was still working in November to recover data and get all their servers up and running again.

Currently, the best way to protect a network is to deploy Endpoint Detection & Response (EDR) on all systems connected. This monitors and collects data from endpoints, which then turns to machine learning to develop advanced threat protection based on tendencies and patterns. It is reported that EDR’s adoption will grow by 26% annually over the next six years.