A big problem was waiting for Matt Jensen, the superintendent of the Bigfork public schools, as he arrived to work on a Monday in November.
His 900-student Montana district was under a cyberattack. A self-replicating computer virus had eaten its way through most of the schools鈥 servers鈥攊ncluding the student-information system鈥攁nd encrypted huge amounts of data, making it inaccessible to Bigfork employees.
The perpetrators of the breach had also left a disconcerting message for Jensen鈥檚 IT director: They were demanding a ransom in exchange for a decryption key that would immediately unlock the data. The alternative to paying up would be to rebuild the district鈥檚 data systems from backups or, in a worst-case scenario, from scratch.
Experts have seen a spike in 鈥渞ansomware鈥 attacks across all sectors of the economy in recent years. Criminals have hit all types of organizations, public and private, including K-12 districts. Multiple strains of the computer virus exist, but most versions of such malware behave much like the type that infected the Bigfork network.
鈥淩ansomware does not discriminate,鈥 said Will Bales, a supervisory special agent in the FBI鈥檚 cyber division. 鈥淲hether it鈥檚 a big school district or a small school district, they have the same possibility of being hit.鈥
Once the virus has infected a network and scrambled every Word document, spreadsheet, and data file it finds, the people behind the attack will ask for a ransom in bitcoin, an untraceable virtual currency, in return for the decryption key.
But Jensen said he never even considered paying the cybercriminals: 鈥淲e weren鈥檛 going to negotiate with them.鈥
Even if his district paid the ransom, he said, there would be no iron-clad assurances that the hackers would actually return access to the data. Paying, said Jensen, 鈥渨ould only empower a criminal group.鈥
鈥楢 Business Decision鈥
Other ransomware victims haven鈥檛 had the luxury of taking Jensen鈥檚 hard-line approach. In many cases, the criminals鈥 ransom request is far smaller than the dollar value of the damage the malware has inflicted.
Some districts have been forced to weigh the ethics of paying a few thousand dollars to untrustworthy and anonymous criminals against surviving for weeks without access to lesson plans, learning software, or student records.
鈥淧aying the ransom was not a philosophical decision, but a business decision,鈥 said Charles Hucks, the executive technology director for South Carolina鈥檚 Horry County schools. 鈥淲hat鈥檚 it worth per day to not have access for our 43,200 students?鈥
After his district was critically hit by a ransomware attack last school year, Hucks immediately shut his servers down to stop the spread of the virus. He then urged his bosses, who oversee a half-billion-dollar yearly operating budget, to pay the nearly $10,000 ransom.
School districts can take a number of steps to avoid ransomware attacks on their computer systems, including:
鈥 Back up everything, and make sure safeguards are in place so malware cannot easily jump to infect backup systems.
鈥 Make sure network users scrutinize incoming email and report rather than open strange attachments from unsolicited addresses.
鈥 Download software only from secure and trusted sources. Never pirate software from illegal or questionable peer-to-peer websites.
鈥 Have strong access controls. Student accounts shouldn鈥檛 have administrative privileges. Internal restrictions on access can prevent a bug from spreading.
鈥 Make sure system updates, including for anti-virus software, are installed regularly.
鈥 Change passwords regularly, and train staff members in best cyberpractices.
鈥 Test your own defenses. Hire a vendor to try to hack the system to find vulnerabilities and address them.
鈥 Have an incident-response plan ready in case something goes wrong.
SOURCES: and BitSight Technologies
Even with the risk that the hackers would take the money and run鈥擧ucks said officials 鈥渨ere horrified鈥 the culprits wouldn鈥檛 follow through with a decryption key鈥攖he cost and time associated with laboriously rebuilding district networks from compromised backups outweighed all other considerations.
Law-enforcement agencies like . Special agent Bales agrees with Jensen that doing so only emboldens criminal enterprises.
But in practice, some experts and have conceded that acquiescing to the demands can, at times, be in an organization鈥檚 best financial interests.
Regardless of whether an organization decides to pay the ransom, Bales and the FBI want to hear from all ransomware victims to gather evidence. Cybercrimes can be reported to the FBI鈥檚 local field offices or its website, www.ic3.gov.
In some cases, the FBI or private industry has already found a 鈥渒ey鈥 or antidote to a ransomware strain, and by reporting the attack, organizations have been able to easily recover their files.
But what if a school district, like Horry schools, can鈥檛 find a decryption key, and decides to pay the ransom?
鈥淭he criminals have an incentive to unlock the data鈥 once they are paid, said Stephen Boyer, a co-founder of BitSight Technologies, a Cambridge, Mass.-based cybersecurity company. The criminals need a track record of victims鈥 getting their data back, he explained, or new targets will stop paying.
Preventing Future Attacks
That鈥檚 not to say that Boyer typically advises his clients to pay the ransom: 鈥淭hat鈥檚 a tough question that can only be taken on a case-by-case basis.鈥
Boyer also cited cases in which a ransom is paid and files are decrypted, but the malware remains in the system, allowing the hackers to come back weeks or months later.
The best defense, Boyer said, is to have strong backups in place, and have outside professionals reset the system and do a full incident report if a district network is compromised.
That was the course of action Jensen used in Montana鈥檚 Bigfork district. Bigfork鈥檚 network was backed up twice: one set of servers on-site that was compromised in the attack, and another housed by an outside vendor that was spared. It took Jensen鈥檚 technology team a week to restore all its systems and ensure the computer systems were clean.
In South Carolina, the hackers of the Horry County district came through with a working decryption key soon after the ransom was paid. Hucks was able to get the 鈥渕ission critical鈥 functions of his servers鈥攍ike the district鈥檚 student-information system鈥攂ack up in days.
The ultimate damage to the school system was a two- to three-week disruption and $30,000 from its budget. In addition to the ransom, the district hired cybersecurity consultants to ensure the malware had been expunged and the criminals could not come back through the same weaknesses in the network.
The Horry County attack was widely publicized in the weeks following its resolution, and Hucks was invited to .
For both school districts, as is common in such cases, the crimes were reported but the perpetrators went undiscovered. Like other cybercrimes, ransomware attacks can be difficult to trace. They often originate overseas, sometimes in countries that do not have extradition treaties with the United States.
That鈥檚 why more districts should be focusing on preventive measures, said Boyer, the cybersecurity expert.
His firm that sampled the IT infrastructure of thousands of organizations in the education, government, health-care, energy, retail, and finance sectors to gauge their exposure to ransomware. It found that educational institutions and companies had the highest rate of ransomware infection.
Opportunistic Hackers
Small technology budgets, less emphasis on cybersecurity, and bring-your-own-device policies in schools make it harder to establish uniform firewalls and contribute to the challenges of protecting ed-tech infrastructure, Boyer said.
Bales, of the FBI, agreed that districts have a lot of ground to cover: 鈥淔aculty, students, every single person who is connected to a school network is a potential liability.鈥
Although some of the attacks are targeted, and higher education is more at risk than K-12 systems鈥攗niversities tend to have larger networks and more financial wherewithal to pay ransom demands鈥擝oyer鈥檚 team has found the attacks are usually 鈥渕ore opportunistic than targeted.鈥
That means that rather than singling out victims, hackers might blast out thousands of emails with compromised links or attachments to thousands of organizations. That process, called 鈥減hishing,鈥 allows hackers to prey on groups with the weakest controls and requires only a small proportion of the emails鈥 recipients to fall for the trap.
For hackers, 鈥渆ven a one percent rate can be very lucrative,鈥 said Boyer.
The relatively small individual ransom payments add up quickly, he explained, and in addition to making it more likely that a targeted group will pay, small sums tend to draw less attention and resources from law enforcement.
The good news for harried school district technology systems chiefs? Reducing risk exposure to ransomware attacks is relatively straightforward. (See box, this page.)
鈥淚t鈥檚 not cutting-edge,鈥 Boyer said of the standard preventive measures. 鈥淚f you are doing the basic blocking and tackling of network security, your risk goes way down.鈥