Blog

The FBI, CISA and MS-ISAC on Ransomware in School Districts: What’s Happening and How to Respond 

Since the pandemic-induced surge in online learning, school districts around the country are increasingly the target of ransomware attacks. In fact, the FBI, Cybersecurity Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued a warning about a rise in ransomware attacks as the 2022/2023 school year begins. Schools are particularly at risk since they run open, cloud-based environments so students and faculty enjoy easy access to network resources.

Read on to learn what prompted the warning and ways school districts should respond to reduce their risk.

Why the Warning?

The announcement came on the heels of a successful attack against the Los Angeles Unified School Department – one of the nation’s largest school districts – in early September. The attack targeted the district’s facilities systems, which house information about private-sector contractor payments (data publicly available through records requests). While the district did not pay ransom, it was forced to change passwords for 540,000 students and 70,000 district employees.

In 2022 alone, 26 U.S. school districts — including Los Angeles — and 24 colleges and universities have been hit by ransomware…eight of them since August 1. Often, cybercriminals steal sensitive information and threaten to release it online if ransom isn’t paid. That was the outcome for at least 31 of the schools hit this year.

The FBI, CISA and MS-ISAC bulletin highlighted a growing number of ransomware attacks against schools by a group called the Vice Society. It detailed that the group’s actors “likely obtain initial network access through compromised credentials by exploiting internet-facing applications.” The bulletin further explains the technical details associated with these exploits.

While the federal agencies noted that school districts with limited cybersecurity capabilities and constrained resources are most vulnerable, they underscored that even those with robust cybersecurity programs are at risk. Specifically, their bulletin said, “K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems.”

How Schools Can Better Protect Themselves

To reduce the likelihood and impact of ransomware incidents, the federal bulletin recommended that schools take the following actions immediately:

  • Prioritize and remediate known exploited vulnerabilities, which the agencies list here.
  • Train users to recognize and report phishing attempts. Make sure students and employees know what to do in the face of potential phishing attacks. We at Nuspire have previously shared recommendations for hardening against these attacks.
  • Enable and enforce multifactor authentication (MFA). Mandate phishing-resistant MFA, particularly for any systems, applications and accounts accessing critical systems.

Visit the Mitigations section of the federal bulletin for more suggestions, including that organizations:

  • Establish and maintain strong relationships with the local FBI Field Office and CISA Cybersecurity Advisor for assistance identifying vulnerabilities and mitigating potential threat activity. Organizations can find the location and contact information for FBI Field Offices and CISA Regional Offices at www.fbi.gov/contact-us/field-offices and www.cisa.gov/cisa-regions.
  • Enforce strong password policies that comply with National Institute of Standards and Technology (NIST) standards.

Take Advantage of Managed Security Service Provider Expertise

At Nuspire, we closely monitor cybersecurity and threat trends, including ransomware attacks. Knowing that ransomware is here to stay, we find organizations are best able to combat these threats by ensuring 24/7 visibility into their environments and the ability to proactively detect and respond to attacks. For the best defense, we recommend proactive strategies – such as better security training, strengthening access controls and monitoring your environment for attacks with the latest threat detection – alongside traditional preventative tools.