11 New US School Districts Compromised by Ransomware, a Total of 72 Educational Institutions in 2019, Reports Armor

Over 200 Schools Potentially Affected in Latest Attack Wave

Armor, a global security solutions provider, has identified 11 new U.S. school districts (comprised of 226 schools) that have been compromised by ransomware since late October. Since January 2019 to date, Armor has identified a total of 72 school districts and/or individual educational institutions that have publicly reported being a victim of  ransomware.  These attacks have potentially impacted 1,039 schools nationwide. Of the 11 school districts hit in this last attack wave, only 1 has reported having paid the ransom, but did not disclose the sum (Port Neches-Groves), 3 reported having  refused to pay (Wood County, Penn-Harris-Madison, Claremont) and 7 have not revealed whether they have paid the ransom or not.

Number of Ransomware Victims in 2019
Armor has identified  269 publicly announced  ransomware victim organizations in the U.S. since January 1, 2019.  Municipalities continue to lead the victim list at 82, followed closely by school districts and/or educational institutions at 72,  followed by 44 healthcare organizations and 18 Managed Service Providers (MSPs) and/or Cloud-Based Service Providers.

Education Ransomware Victims in 2018
According to the K-12 Cybersecurity Resource Center, K-12 schools experienced 119 cyber incidents in 2018.  They attribute a total of  9.76 % (approximately 11 schools) have been hit by ransomware. According to Chris Hinkley, Armor’s Head of the Threat Resistance Unit (TRU) research team, schools  and municipalities continue to be very desirable targets for ransomware threat actors because these types of organizations host a lot of important, sensitive data, which is required for communities to function properly.  The cybercriminals also know that often these entities don’t have sufficient cybersecurity protections in place. “The attackers know that the services these organizations provide are critical to their communities, and they also know that schools and municipalities are typically more vulnerable to security attacks because of their limited budgets and lack of IT staff,” said Hinkley.  “This combination can give the threat actors a tremendous advantage over their victims because they know these entities cannot afford to shut down and are often more likely to pay the ransom.”

11 U.S. School Districts Identified as a Victim of Ransomware Since October 20

  • Wood County Schools, Parkersburg, West VA
  • Port Neches-Groves Independent School District, Port Neches, TX
  • Penn-Harris-Madison School Corporation, Mishawaka, IN
  • Livingston New Jersey School District, Livingston, NJ.
  • Chicopee Public Schools, Chicopee, MA
  • Claremont Unified School District, Claremont, CA
  • Sycamore School District 427, DeKalb, IL
  • Maine School Administrative District #6, Buxton, ME
  • Lincoln County, Brookhaven, MS
  • San Bernardino City Unified School District ,San Bernardino, CA
  • Las Cruces Public Schools, Las Cruces, NM

Effects of Ransomware on Schools Wood County Schools (Parkersburg, West VA)—On Thursday, November 7,  the computer systems for the Wood County schools were hit by ransomware.  According to local news reports, the ransomware attack took down the Internet-based phone systems for 6  out of  the 22 schools in the district. The attack also prevented administrators and teachers from accessing their desktop files and caused school doors to not open and close properly. School officials stated that no data has been exposed.  School officials opted not to pay the ransom but to rebuild the servers.

Wood County Schools has insurance against cyberattacks. Their deductible for their cyber insurance is  $2,500. The school district is insured by the West Virginia Board of Risk and Insurance Management (BRIM), BRIM provides casualty insurance coverage for all West Virginia state agencies.

Port Neches-Groves Independent School District (Port Neches, TX) — Port Neches-Groves School employees were unable to access school computers beginning on November 12 due to a ransomware attack. The district of 11 schools in a town of just over 13,000 residents paid an undisclosed ransom amount to recover its files.  School officials said the school district had insurance for this “type of attack.”  Daniel Fontenot, the director of information services, safety and homeland security for the district, said referring to the amount of ransom , it was “up there.” Fontenot also said the school district’s systems were  almost completely up and running by Monday, November 18.  He also said the school had a backup structure in place, along with firewall protection and antivirus software. School Superintendent Mike Gonzales told reporters that the attackers entered the district’s computers via a malicious email.

Penn-Harris-Madison School Corporation (Mishawaka, IN) — On November 12, as many as 15 schools, which comprise the Penn-Harris Madison School Corporation computer network,  were affected by  a ransomware attack that knocked out “all internal network systems” districtwide. According to alerts sent to families and staff, systems that were shut down because of the attack included:  Canvas, used by middle and high school students to access and submit work, and Skyward, used to track attendance and share information with families. The district, which had an up-to-date backup system, restored access within a week.

Livingston New Jersey School District (Livingston, NJ) — The Livingston New Jersey School District discovered a ransomware attack on the school’s servers on November 21.  School officials said the hackers took data hostage from all nine schools in the district, affecting 6,000 students, and the attack affected the school district’s internet, staff email, phone system, and the district’s Genesis platform for posting and viewing grades and report cards online. On December 6, two weeks after the ransomware attack, the school district’s internet and phone systems were up and running,  but they had not recovered access to all of their files. The first of week December , their IT experts began cleaning the district’s 4,000 computers to ensure that they were virus-free.  A local news outlet  reported that the school district said it does have insurance for cyberattacks, which they thought should  pay for at least some of the recovery expenses. 

Chicopee Public Schools (Chicopee, MA) — On November 15,  Chicopee Public Schools was struck by ransomware that affected some of their Windows-based servers and workstations.  A local news report stated that the ransom demanded was $300,000, and that Ryuk was the ransomware which hit the school district.  However, Armor has not been able to confirm this information as of yet. The school district did not pay the ransom, but rather worked to restore all of the affected servers and workstations. Teachers used Chromebooks and iPads to maintain classes and lesson plans.  Chicopee city leaders credited a good backup strategy to the school district’s success in recovering their windows-based systems.

Claremont Unified School District (Claremont, CA) — The Claremont Unified School District (CUSD) got hit by a ransomware attack on November 21, shutting down their email system and many of their Internet Services.  The district contains 11 schools serving 7,000 students,  Following the incident,  CUSD Superintendent Jim Elsasser reported “we have teams working with experts and working around the clock to get us back online as soon as possible.”  Elsasser also said that every computer in the school district had to be worked on, and the school district unplugged its internet as a precaution.  As of December 3, the district’s Internet Services were still not restored. Claremont  High School, one of the 11 schools in the district posted this message on their school website on December 3:  “Internet access throughout CUSD continues to be down.  If you need to contact your child’s school, please call or go to the school office. Email is not available to any staff or for any attendance needs. For attendance reporting, please call the school’s attendance line or provide a written note to the attendance office.  Programs hosted on outside servers are available, such as Parent/Student Connect and Canvas.  They can be accessed through the district website, which is also functioning…”

Sycamore School District 427 (DeKalb, IL) — As many as 7 schools may have been impacted when a ransomware attack was reported on December 3 in DeKalb, Illinois. On the district’s website, Superintendent Kathy Countryman stated that internal servers had been compromised but this did not affect the district-wide email system, phone system, website, student information systems or building alarm systems. Additionally, district-owned Chromebooks and files stored within the cloud-based Google Suite for Education, were not a part of this incident.

Maine School Administrative District #6 (Buxton, ME) — On November 30,  the Maine School Administrative District #6 suffered a ransomware attack. According to a press release issued by the school,  a server containing sensitive personal information about the school district’s employees was encrypted.  This information included  Social Security numbers, dates of birth, mailing addresses, bank account information and income information.  School officials said they did not know if any of this information was accessed by threat actors.  However, they have notified all current and former school district employees  and the district is working with the Secret Service.  A local news station reported that no student information had been affected and that “all affected devices have been quarantined and are being scrubbed.”  As of December 5, school officials reported that the files on the server remain encrypted.

Lincoln County School District (Brookhaven, MS)— Lincoln County School Superintendent Mickey Myers confirmed  Monday, November 4  that the Brookhaven, MS school district was hit by a ransomware attack, and adversely affected multiple systems in their network. Phone systems and internet communications at the schools went down as a result of the attack.   As of November 8, the school district stated that they were “nearly finished restoring their communication systems.”

San Bernardino City Unified School District (San Bernardino, CA) — A ransomware attack on district computers in a network of 72 schools with some 53,000 students in San Bernardino occurred October 19th. The attack affected the district’s internal email network (preventing email communication with faculty and staff), student attendance had to be logged manually, and certain tech-based teaching tools were not available.

Las Cruces Public Schools (Las Cruces, NM) — On October 29, Las Cruces Public Schools voluntarily shut down their entire network (including all computers and servers).   They requested that all principals, teachers and students shut down their district laptops, Kindles and iPads, completely, in response to the ransomware attack. As a result of the voluntary shutdown, teachers in the Las Cruces Public Schools were forced to record grades and take attendance with pencils and paper as the school district began their cleanup. The school district’s central office maintained communication with the schools and district sites during the shutdown via handheld radio and phone.  School officials also stated that each and every computer in the district had to be cleaned in “an effort to avoid another ransomware attack,” thus they planned on wiping the hard drive and reinstalling the operating system of each of the 30,000 district devices. School officials said this is the third time in the past six years that the school district has been attacked by cybercriminals. The district, consisting of 42 schools, was still recovering two weeks after the October 29th attack.

Armor Security Tips for Combating Ransomware

  • Offline Data Backups – users must have multiple backups of their critical data, applications, and application platforms. These backups must be air-gapped from the internet and password protected.
  • White Listing Solution – limits the use of applications and processes that are allowed to run in your environment by providing a short list of approved applications and processes. Like a VIP List for your PC, if it’s not on the list, it’s not allowed.
  • File Integrity Monitoring—Monitors your IT environment 24x7x365 for changes to critical OS, files and processes such as directories, registry keys, and values.  It also watches for changes to application files, rogue applications running on the host and unusual process and port activity, as well as system incompatibilities.
  • Practice Least Privilege Access Control –ensure the user has the least privilege for their job. This also applies to services.
  • Audit/Penetration Testing from Independent, Third-Party Experts—to ensure that you are implementing best practices.
  • IP Reputation Monitoring/Blocking—blocking known bad infrastructure and actors
  • Continuous Security Awareness Training– educate employees about current and emerging cybersecurity risks and phishing emails. Effective training should actively engage employees and include policies concerning the correct response to suspected phishing attempts.
  • Endpoint Protection Solution – includes protection, detection and response capabilities for laptops, workstations and mobile devices. Utilizes antivirus (AV) and antimalware (AM) to block cyberattacks. It is also used to quickly detect and remediate any malicious activity or infection that has made its way onto the endpoint.