California Schools Face Rising Ransomware Threats

Sixth grade teacher Hilary Hall had just started teaching one Monday morning in September when her teacher’s group chats at Newhall School District exploded with confused messages. Teachers in the Santa Clarita school district — located just north of Los Angeles — were panicking.

While Hall had no issues logging onto her computer from home, many of her colleagues, connected to the school district’s server, were met with a mysterious pop-up message.

It said users wouldn’t be able to log into the server.

People turned to Hall, co-president of the district’s teachers union, for information, but she didn’t know what was going on either.

A few minutes later, an answer arrived via phone call from each grade’s head teacher: The school district, all 10 schools representing under 6,000 children, had been hit with a ransomware attack. All teachers were instructed to log off immediately.

“Read a book!” Hall told the kids in her class, trying to think of educational activities on the spot as she quickly logged off.

While incidents like the Colonial pipeline ransomware attack and the Kaseya attack received international attention, schools and universities have also been on the wrong end of cybercriminals.

Experts interviewed by CalMatters — including researchers, cybersecurity companies, IT employees and the FBI — all agree the number of cyberattacks has increased during the pandemic. Many believe the number of attacks on the education sector has also increased, but it’s an area so new to cybercrime that there’s virtually no comprehensive data on it.

California schools, colleges and universities have scrambled to adjust. In the past five years, more than two dozen California school systems have been targeted, from Rialto Unified School District in San Bernardino to Stanford University’s School of Medicine.

Prior to the ransomware attack last September, Newhall had implemented what experts consider commonsense security measures like internal firewalls to prevent malicious software from affecting entire systems. A few times a year, the IT department even sent students and employees fake “phishing” emails — deceptive emails enticing users to click on malicious links or reveal sensitive information — to see if they would click on suspicious links that could compromise their networks.

But none of these efforts stopped cybercriminals from attacking the district’s computer systems and rendering over 6,000 elementary school students and teachers without normal school for a week.

“When we heard that it was ransomware, it was almost like, ‘Are we in a movie?’ Like, what in the world?” Hall said.

How Ransomware Attacks Work

Ransomware attacks use a specific type of malicious software to encrypt files on computers connected to the internet, essentially locking out organizations from accessing their files. The cybercriminals then demand a ransom to decrypt the files.

Sometimes, these attacks are “double-pronged,” meaning the criminals will threaten to sell (or when there’s potential for blackmail, release) sensitive information in order to provide an extra incentive for fast payment. Coveware, a well-known Connecticut-based ransomware recovery firm, found that 77% of ransomware attacks threatened to leak data in the first quarter of 2021.

Emsisoft, a New Zealand-based software company, expects these data theft attacks to double in 2021, with cybercriminals finding more ways to make stolen data useful in extracting a ransom.

The FBI’s Internet Crime Complaint Center, which tracks complaints of cybercrimes (not just ransomware), said it received 791,790 complaints in 2020, a 165% increase from 2016. The complaints only reflect crimes reported to the FBI, so the actual number in any given year is larger.

And as COVID-19 forced many organizations, from schools to huge corporations, to move even more of their systems online, cybercrime increased, said Ronald Manuel, a supervisor on the FBI’s Los Angeles cyber task force.

Schools and universities confronted an unprecedented increase in attacks.

In 2020, cybercriminal attacks affected at least 1,681 schools and universities across the country, according to research by Emsisoft. In 2019, only 89 were attacked with ransomware, although over 1,000 more were potentially affected. These numbers represent a minimum of ransomware attacks, Emsisoft said — there are no federal reporting requirements.

Seculore Solutions, a software company based in Maryland, has recorded 122 cyberattacks in California across the public safety, government, medical and education sectors since 2016. At least 26 of those cyberattacks have targeted California school districts, colleges and universities, including the University of California, Sierra College, College of the Desert and Visalia Unified School District.

If the data on cyberattacks seems sketchy and incomplete, that’s because it is. Nick Merrill, a cybersecurity researcher at UC Berkeley, said he doesn’t know of an archive for cyberattacks in California. “But if you find one, please let me know,” he wrote in an email to CalMatters.

While it’s ultimately a mystery how ransomware crews pick their specific targets, the education sector is vulnerable for a few reasons, according to multiple experts. Tight budgets prevent them from having the resources to stop cyberattacks. Unique characteristics — like an open WiFi network — make schools particularly vulnerable. And they are also dependent on their online systems: They wouldn’t be able to function without grading systems or other file-sharing software.

“They’re essentially low-hanging fruit,” said Andrew Brandt, a malware researcher with SophosLabs.

Schools could also be a quick and easy payout for “ransomware crews” who make a living off of these attacks, Merrill said. Experts believe that many of these cybercriminals are located in Russia or the former USSR, where ransomware is a lucrative business in an otherwise depressed economy.

“There are a lot of them, so you can keep hitting these (schools and colleges) all across the U.S., all across maybe even the world, and you can get a pretty consistent payout every time,” Merrill said.

But while ransomware attacks are increasing in schools across California and the country, key players are struggling to play catch-up. School administrators, experts and government officials are having different conversations, if any at all.

Do you pay ransomware attackers or not?

The week of the ransomware attack at Newhall School District, teachers uploaded videos to the school district’s website as a form of makeshift online school. All students in the district watched the same videos. Hall said some of her students felt that week was “a bit of a waste,” because the lesson plans were so generic. She said teachers felt guilty about “leaving our kids stranded without our support.”

Meanwhile, the district’s four-person IT department was working overtime. The district’s 310 teachers were at a standstill until the systems were online and ransomware-free.

Luckily, the district had purchased cyber insurance a few years back. Its insurer — Alliance of Schools for Cooperative Insurance Programs — contracted with Alvaka, an advanced network services and security company, to help retrieve files, according to one Newhall administrator. District officials would not say if they paid the ransom or not. Doing so would be considered controversial; the FBI advises against paying ransoms.

But Superintendent Jeff Pelzel did say teachers’ intellectual property — their lesson plans — were taken into consideration.

“Of course, the FBI doesn’t want anyone to pay anything for the ransom,” Pelzel said. But if you put a dollar value on the time it takes to make lesson plans, some of which have been developed over a decade, it can become difficult to decide whether to pay or not. “It would be devastating for staff.”

By the next week, students and teachers were able to access their online classrooms again. Within a few months, most of the district’s other programs and servers were running.

Newhall has since upped its cybersecurity efforts: more frequent phishing exercises, required cybersecurity training for every employee, more operations in the cloud and two-factor authentication for administrators, among other measures.

Ransomware protocols for schools still evolving

A couple of months after the ransomware attack, Newhall applied for an exemption from the California Department of Education to add days onto the end of the school year. These are typically granted for school shootings, wildfires and other emergencies where students had missed days of quality instruction from school.

But the department initially denied Newhall’s request, only to reverse itself about half a year later. Cyberattacks did not meet the state’s criteria and it took months of advocacy from Pelzel to reverse the decision.

Pelzel has said the federal government should fund cybersecurity for all school districts. He also called for a crisis manual for ransomware attacks, similar to crisis procedures for active shooters and earthquakes.

“In general, we live in a society where governments are reactive rather than proactive,” Brian Walters, president of Newhall’s school board, said. “It takes usually some sort of disaster for people to take a hard look at what needs to be improved. California is frankly, behind … but eventually (it shows) a history of catching up.”

Trade organizations — including the California School Boards Association and Association of California School Administrators — don’t offer cybersecurity resources or guidance and directed CalMatters to the California Department of Education.

But the department started working on cybersecurity for schools just recently.

Mary Nicely, the department’s point person for cybersecurity efforts, said she was tasked with working on cybersecurity just a few weeks ago, although the department’s data management team had previously provided resources to help schools understand digital literacy.

“We can’t say, ‘Hey, everybody put your money into cybersecurity or allocate this much of your budget to that,’ ” Nicely said. “Those are individual decisions of the school districts. I think we should be giving more guidance in that area. I don’t think (the California Department of Education) has done that in the past.”