If staggering staffing shortages, razor-thin budgets, safety issues and politically driven controversies weren’t enough to contend with, U.S. schools are facing another major crisis: skyrocketing ransomware attacks.
You’ve likely read news stories about educational institutions under attack in recent weeks. This timing is no coincidence: A new school year spells new opportunity for attackers. Just last week, the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory (CSA) warning that threat actors are “disproportionately targeting the education sector with ransomware attacks,” especially kindergarten through twelfth grade (K-12) institutions.
These attacks have resulted in “restricted access to networks and data, delayed exams, canceled school days and unauthorized access to and theft of personal information regarding students and staff,” CSA authors note.
Why K-12 schools? CyberArk’s Matt Kenslea – whose years of public sector work give him insight into many of today’s top education challenges – says it all comes back to opportunity. “Many attackers go after weakness and many of these schools are understaffed, underfunded and highly vulnerable. The attackers are many, their tools are varied and often-overworked staff can struggle to keep up.”
“School districts, especially those in large, urban environments have to do so much: Feed students, bus students, teach students, provide individualized support for students – many of whom speak different languages – and keep students safe. With so many competing priorities, hiring and keeping specialized cybersecurity staff is a massive challenge,” says Kenslea. “Many school districts don’t – or can’t – make investments in cybersecurity until after an attack.”
According to the CSA, K-12 institutions are also attractive targets given “the amount of sensitive student data accessible through school systems or their managed service providers.” Last year, an NBC News investigation found that ransomware groups had published sensitive personal data on American schoolchildren from more than 1,200 schools.
Frank W. Abagnale, a world-renowned identity fraud expert, has described why cyber criminals prefer to steal the identities of younger people in this way: “I’ll take the student every time. Because a child has no credit, and the child is not likely to seek credit for many years. So I can steal the identity of a two-year-old, I can be that two-year-old for a long period of time before anyone ever finds out I’ve stolen that two-year-old’s identity. That’s why on the black market a two-year-old’s identity sells for a lot more than a 14-year-old’s, simply because you have a lot longer to sell it.”
New-School Ransomware Attacks Target Faculty and Staff Endpoints as an Entry Point
With the benefit of ransomware-as-a-service platforms, it’s easy for just about anyone with internet access to launch an attack on a school. In fact, 56% of K-12 schools worldwide report being hit by ransomware in the last year.
“By and large, ransomware attackers are getting in from local endpoints, such network-connected PCs, Macs and laptops used by staff and faculty members,” Kenslea explains. Even if anti-virus is installed on the machine, attackers can often slip past it, since these tools rely primarily on known threats and behavior patterns and frequently miss targeted and novel threats (remember, ransomware is constantly changing).
Oftentimes, these endpoint devices have active accounts with local admin rights, which enable device users to perform tasks such as running system or software updates, controlling files and using hardware. The trouble is, those admin rights are exactly what many ransomware attackers need to move further into an environment, deploy malware, encrypt files and hold them for ransom. In almost every instance, attackers look for ways to penetrate, linger and lurk on a system, waiting for opportunities to move laterally and then escalate privileges by compromising accounts with local admin rights.
Even if they aren’t meant to have local admin rights, users sometimes wind up with them anyway. “Scrambling to fill vacant positions, schools are issuing new staff members laptops and getting them into classrooms in a hurry. People make mistakes, especially when they’re rushing,” says Kenslea. Even when schools are on top of managing their Active Directory, they often overlook access control lists (ACL) and those legacy privileges can be exploited.
The obvious solution would be to just take local admin rights away, right? Not so fast, Kenslea warns. “Education is an open, collaborative environment, teachers share with students, parents and colleagues across the country and the world. Removing local admin rights on all endpoints will create friction and pushback – like when the superintendent can’t even install a printer or read a textbook file. And as they say, ‘You don’t want that smoke.’”
“It can’t be an all or nothing thing,” he continues. “It’s about finding a better balance between permission control and giving very overworked people the access they need to do their jobs.”
Ransomware Blocking at the Endpoint, the Biggest Bang for Schools’ Risk Reduction Buck
In the recent CSA, the FBI, CISA and the MS-ISAC highlight detailed defense-in-depth recommendations for the education sector. Some of these mitigations can be done quickly, such as adding an email banner to emails received from outside the organization. Other steps, such as network segmentation, will take more time and ongoing effort.
For most K-12 schools, ransomware protection ultimately comes down to budget and strategic prioritization. “Since they can’t do everything, schools are looking for the biggest cyber risk reduction ‘bang for their buck,’ in the shortest amount of time possible,” says Kenslea.
“Hardening the endpoint – where ransomware attacks so often begin – is the best place to start,” he continues. To do this, he urges schools to follow the CSA’s guidance of immediately addressing known vulnerabilities, implementing multifactor authentication (MFA) for high-impact actions if it’s not already enforced and getting serious about cybersecurity training to help faculty identify phishing and other credential theft attempts.
As a backstop to those three mitigation steps, he offers a fourth recommendation: “Find a flexible, automatic way to control local admin rights and applications, giving staff, faculty members and other users the lowest clearance level possible that allows them to perform their role.” Also known as least privilege enforcement, this defense-in-depth protection can be rolled out quickly to help schools strengthen their security posture, reduce ransomware exposure and focus on what matters most – shaping lives through learning.