It is being reported that an increasing number of schools and school districts are being hit by ransomware attacks - crippling essential systems used by students and the education community. If your school is hit by ransomware, how can you communicate with students, teachers, and parents?
The majority of schools use information and communications technology (ICT) to create, store, share, and manage information. ICT tools have become integral to teaching-learning interaction, and in one study (PDF) were found to foster an environment of “togetherness” among students, enhance critical thinking, and improve communication skills.
In many circumstances ICT tools are also used in schools to enhance communication and collaboration between teachers and parents. In this age of digitalization, schools promoting family-school partnerships rely heavily on ICT tools to keep parents informed, monitor improvements among students, and develop more effective teaching strategies.
In many respects ICT tools have become the backbone of education and many administrative tasks involved in the education process. Without them, education would not grind to a halt, but the long-term non-availability of ICT tools would create serious disruption in schools and school districts. This is why the reported increase in ransomware attacks on schools is so concerning.
How Ransomware Attacks Work
Ransomware is a type of malicious software (“malware”) that encrypts files on a computer, making the files unreadable by the computer operating system. Typically the malware is inadvertently downloaded onto an individual's computer via an infected link in a phishing email or compromised website, from where it spreads through the network via shared drives, servers, and other connected components.
Once the malware has been deployed successfully and the user's files are encrypted, it displays instructions on how to pay a fee (the “ransom”) in order to get the decryption key. The ransom can range in value from hundreds of dollars to hundreds of thousands of dollars, and payment is usually demanded by an anonymous cryptocurrency (i.e. Bitcoin) so the attacker(s) cannot be traced.
There is often a time limit specified to pay the ransom before the decryption key is destroyed. If the ransom is not paid, it is not necessarily the case data is lost forever. If computer systems are backed up regularly - and the copies kept isolated from the network - the saved data will not be encrypted by the malware and the system can be restored. Alternatively, as ransomware tends to be distributed in “families”, federal agencies (i.e. the FBI) may have already cracked the encryption code and be able to provide ransomware victims with the decryption key free of charge.
Are Schools being Targeted for Ransomware Attacks?
While it is being reported that schools are increasingly being targeted for ransomware attacks, that's not necessarily true. Schools have been victims of ransomware attacks for many years, but they are not usually targets because they are not “well-off” and attackers can't demand the huge ransoms they can get from enterprise-scale businesses (up to $8.5 million according to research conducted by Beazley Breach Response Services).
One of the earliest reported cases concerns the Swedesboro-Woolwich School District in New Jersey, whose computer systems were down for two weeks in 2015 following a ransomware attack. In 2016, teachers and students in the Horry County School District in South Carolina were locked out of computer systems for three weeks - despite the school district promptly paying the ransom demand - and in 2017 it was reported “Education is now the Nº 1 target for ransomware attacks”.
Unlike healthcare organizations and businesses subject to SOX compliance, schools don't have to report cyberattacks to regulatory authorities - so often they don't. What's happened in recent months to prompt the reports of increasing ransomware attacks on schools is that more schools are taking advantage of cybersecurity insurance and, when their insurers pay a ransomware demand, the payment of the demand is recorded.
What to do When Hit by a Ransomware Attack
Nonetheless, due to limited IT security resources and a database of users who are typically naive about cybersecurity, schools are suffering ransomware attacks. If this happens at your school or school district, the first thing to do is to get every user to disconnect from the network as quickly as possible. Then report the attack to the appropriate authorities as it may be the case the encryption code has already been cracked and the system can be up and running again in hours.
If the decryption key is not yet available, the next course of action depends on whether your school has a recent “clean” backup. Certain types of ransomware can sit dormant in a computer system for a long time before being activated remotely; so, just because a recent backup exists, it doesn't mean data can be restored. It may be necessary to engage a security expert with forensic IT skills to determine at what stage malware was downloaded onto the system.
If no clean backup exists, it will likely be necessary to pay the ransom demand. Schools and school districts with cybersecurity insurance coverage should check the terms of their policies to ensure they are covered against ransomware, as a number of insurers regard ransomware attacks as “acts of war” and are refusing to pay claims. Even then, it may be weeks - as in the case of Horry County School District - before computer systems are operable again.
Communicating with Students, Teachers, and Parents during a Ransomware Attack
During a ransomware attack - when it is essential users disconnect from the system as quickly as possible - the best way to communicate with students, teachers, and parents is through an emergency communication system. Some emergency communication systems work from any Internet-connected device, and use multiple channels of communications to get critical messages to the right people in the shortest possible time (obviously don't connect the device to the school's Wi-Fi network).
While computer systems are down, school administrators can use mass notification to keep students, parents, and teachers updated with news about the attack in order to stop them logging in “just to see if it works”. Furthermore, administrators can set up dedicated communications between the school and students, between the school and parents, and between the school and staff.
you may also like
Recent Escalation of Fatal Attacks Prompts Calls for Increased Security at Places of Worship
February 18, 2020
Attacks against places of worship are not a new phenomenon; and although the volume of attacks against places of worship is no greater than it was a decade ago, the number of...