The back-to-school season has already been stressful for schools and families. Now a spate of ransomware attacks targeting K-12 schools has made it even more challenging.  In May 2020, the FBI warned schools about the increasing risk of ransomware attacks during the pandemic. The agency warned that cyber actors would likely increase targeting of K-12 schools as an "opportunistic target" as more institutions shift from in-person learning to online classes and teachers and staff rely on remote access connections.

Maze is a particularly sophisticated strain of Windows ransomware that has attacked companies and organizations around the world and demanded that a cryptocurrency payment be made in exchange for the safe recovery of encrypted data.  Similar to other ransomware seen in the past, Maze can spread across a corporate network, infect computers it finds and encrypts data so it cannot be accessed. What makes Maze ransomware more dangerous is that it also steals the data it finds and exfiltrates it to servers controlled by malicious hackers who then threaten to release it if a ransom is not paid by their deadline. Increasingly, other ransomware (such as REvil, also known as Sodinokibi) have been observed using similar tactics.

It appears that Maze ransomware gang is not only capable of writing sophisticated malware. They have also found a very effective way of increasing the pressure on its corporate “clients” to pay up.  Cyber threat investigators have determined that these attackers saw that many organizations now have established backup protocols in place and realized that they needed to up the ante if they were to maximize their potential criminal earnings.

The first day of in-person and online classes had to be postponed in Hartford, Connecticut, last week after a ransomware virus caused an outrage of critical systems, including those that communicate bus schedules and routes.

Newhall School District in California canceled online classes Tuesday due to a ransomware attack. In New Jersey, the Somerset Hills School District shut down on the second day of classes because of an unexpected network disruption.  It was later determined to be ransomware that targeted a limited portion of the network.

One of the largest school districts in the country, Fairfax County Public Schools in Virginia, was attacked last week during the first week of classes. The attack did not disrupt remote learning but according to InfoSecurity Magazine the hacking group Maze, a group that has been extensively covered by Red Sky Alliance after their attack of Chubb Group - successfully lifted student, staff, and faculty data from the network. As proof, the group uploaded about 2% of the data they stole and demanded payment to restore the systems and the data, a common ransomware tactic. The Fairfax school district said it was currently working with the FBI and its cybersecurity consultants to investigate the scope of the data compromise.

In the same week, the Maze group also targeted the Clark County School District, the largest public-school district in Nevada. The CCSD announced it was "the victim of a criminal ransomware attack" that likely targeted the personal data of current and former teachers and staff. The school district, which includes Las Vegas, said it was working with law enforcement to investigate the matter and restore systems to secure, full functionality.

The Maze group also appears to have launched a similar attack in Ohio last week targeting the Toledo Public Schools.

Even before the pandemic, schools were easy targets for cybercriminals because many rely on legacy systems and relatively few have paid sufficient attention to their IT and cybersecurity defenses, including basic preventive measures like consistently backing up critical data.  In addition, children’s identities, birth dates and Social Security number are attractive targets and easy to sell on the dark web forums.  With these pieces of information, hackers can apply for driver’s licenses, passports, credit cards and loans.

The shift to entirely remote learning or hybrid models during COVID-19 has made those vulnerabilities even easier to exploit. A single ransomware attack can lock out teachers and administrators and essentially cancel classes for days or longer. "That is, I think, why school districts are perceived as being especially ripe targets right now," said Scott Shackelford, the cybersecurity program chair at Indiana University, Bloomington.

According to Emisoft, a security software company, there have been at least 53 school districts hit with ransomware attacks since the start of 2020. Last year, hackers targeted some 1,233 individual K-12 schools at the cost of roughly $7.5 billion. The use of ransomware is going to become "increasingly standard practice," Emsisoft reported, while the risks and costs associated with an attack continue to grow.

That was how the Athens Independent School District in Texas dealt with its ransomware attack earlier this summer. Ahead of the first day of school, hackers encrypted all of the data on school servers, multiple data backups and a few hundred computers. Teachers and administrators were locked out, unable to access communications, student schedules, assignments and grades.

After the attack postponed the first day of classes by one week, the school district agreed to pay hackers the $50,000 ransom in cryptocurrency. "We can’t afford to not pay it," AISD Board President Alicea Elliott said.

Ultimately, school boards have to be encouraged to adopt cybersecurity best practices, including investing in IT security, backing up and securing data, having a strong identity management system, like multifactor authentication and educating staff about how they can reduce vulnerabilities.

A typical ransomware attack may begin with something as simple as a phishing email sent to hundreds, thousands or just a few potential victims with a file containing malware. Once the victim has downloaded and opened the file or otherwise been convinced to turn over administrative access to their network, the bad actor can take over.

Most often, criminals will encrypt files to prevent users from accessing them and demand payment for returning access to the user. Often they restore access, other times they don't. In the case of the Maze hackers, they not only locked down networks but also stole personal data. Those attacks raise the stakes and the probability of a double-payday for hackers selling the data on the dark web. Some of the worst consequences of a typical ransomware attack on a school will be the disruption of classes. In cases where the attack also involves the theft of personal data, parents, teachers and staff are encouraged to take precautions to protect their identity.

Adults can protect against identity theft through credit monitoring and monitoring their financial accounts. The challenge is different for parents who are concerned that their child's personal data may have been exposed and/or sold to others.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.

The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

Link to RedXray collection and analysis tool: https://www.wapacklabs.com/redxray

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication company wide.
  • Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.  Ransomware protection is included at no charge for RedXray customers.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.


Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance