Ransomware attacks on schools increase during the pandemic

ALBUQUERQUE, NM — For teachers at a middle school in New Mexico’s largest city, the first hint of a widespread technology problem came during an early morning staff call.

On the video, there were shouts for a new caretaker for their hard work, and the typical announcements from the administrators and the union representative. But in the chat, there were hints of an impending crisis. No one could open attendance registers and everyone was excluded from class lists and grades.

Albuquerque administrators later confirmed that the outage that blocked access to the district’s student database — which also includes emergency contacts and lists of adults authorized to pick up which children — was due to a ransomware attack.

“I didn’t realize how important it was until I couldn’t use it,” said Cleveland Middle School art teacher Sarah Hager.

Cyberattacks like the one that canceled classes for two days in Albuquerque’s largest school district have become a growing threat to American schools, with several high-profile incidents reported since last year. And the coronavirus pandemic has compounded their effects: More money has been demanded, and more schools have had to close as they scramble to recover data or even manually wipe all laptops.

“No matter how you cut it, incidents are both getting more frequent and bigger,” said Doug Levin, director of the K12 Security Information Exchange, a Virginia-based nonprofit that helps schools defend against cybersecurity risks.

Accurate data is difficult to obtain because most schools are not required to report cyberattacks publicly. But experts say public school systems – which often have limited budgets for cybersecurity expertise – have become an attractive target for ransomware gangs.

The pandemic has also forced schools to increasingly turn to virtual learning, making them more dependent on technology and more vulnerable to cyber extortion. School systems whose education has been disrupted include those in Baltimore County and Miami-Dade County, as well as districts in New Jersey, Wisconsin and elsewhere.

Levin’s group has tracked more than 1,200 cybersecurity incidents since 2016 in public school districts across the country. They included 209 ransomware attacks, when hackers lock data and charge to unlock it; 53 “denial of service” attacks, where attackers sabotage or slow down a network by simulating server requests; 156 Incidents of “Zoombombing”, where an unauthorized person interferes in a video call; and over 110 phishing attacks, where a deceptive message tricks a user into letting a hacker into their network.

The recent attacks also come as schools grapple with multiple other pandemic-related challenges. Teachers get sick and there are no substitutes to cover them. Where there are strict virus testing protocols, there aren’t always tests or people to give them.

In New York, an attack this month on third-party software provider Illuminate Education did not lead to the cancellation of classes, but teachers across the city were unable to access grades. Local media reported that the outage added to the stress of educators who are already juggling between instructing and enforcing COVID-19 protocols and covering for sick or quarantined colleagues.

Albuquerque Superintendent Scott Elder said bringing all students and staff online during the pandemic has created additional avenues for hackers to gain access to the district’s system. He cited this as a factor in the Jan. 12 ransomware attack that canceled classes for some 75,000 students.

The rollbacks — which Elder called “cybersnow days” — gave technicians a five-day window to reset databases over a holiday weekend.

Elder said there was no evidence that any student information was obtained by hackers. He declined to say whether the district paid a ransom, but noted there would be a “public process” if it did.

Hager, the art teacher, said the cyberattack increased stress on campus in ways parents hadn’t seen.

Fire drills were canceled because fire alarms were not working. The intercoms stopped working.

Nurses couldn’t find which children were where because positive test results came in, Hager said. “So potentially there were students on campus who were probably sick.” It also appears that the hack permanently erased a few days of attendance records and grades.

Edupoint, the provider of Albuquerque’s student information database called Synergy, declined to comment.

Many schools choose to keep attacks secret or disclose minimal information to avoid revealing additional weaknesses in their security systems.

“It’s very difficult for school districts to learn from each other because they’re really not supposed to talk about it because you might be sharing vulnerabilities,” Elder said.

Last year, the FBI issued a warning about a group called PYSA, or “Protect Your System, Amigo,” saying it was seeing an increase in the group’s attacks on schools, colleges and seminaries. Other ransomware gangs include Conti, which last year demanded $40 million from Broward County Public Schools, one of the largest in the country.

Most are Russian-speaking groups based in Eastern Europe and enjoying protection from tolerant governments. Some will post files to the dark web, including very sensitive information, if they are not paid.

While attacks on large districts grab more headlines, ransomware gangs tended to target smaller school districts in 2021 than in 2020, according to Emsisoft threat analyst Brett Callow. He said this could indicate that larger districts are increasing their spending on cybersecurity while smaller districts, which have less money, remain more vulnerable.

A few days after Christmas, the Truth or Consequences district of 1,285 students in south Albuquerque also had its Synergy student information system shut down by a ransomware attack. Officials there compared it to the burglary of their home.

“It’s just this feeling of helplessness, of confusion as to why anyone would do something like this because ultimately it takes away from our children. And to me, it’s just a disgusting way of trying to get money,” Superintendent Channell Segura said.

The school did not have to cancel classes because the attack happened during break time, but the network remains down, including keyless entry locks on school building doors. Teachers are still carrying the physical keys they had to find at the start of the year, Segura said.

In October, President Biden signed the K-12 Cybersecurity Act, which asks the federal cybersecurity agency to make recommendations on how to help school systems better protect themselves.

New Mexico lawmakers have been slow to expand internet use in the state, let alone support schools on cybersecurity. Last week, state officials introduced a bill that would allocate $45 million to the state Department of Education to establish a cybersecurity program by 2027.

Ideas on how to prevent future hacks and recover existing ones usually require more work from teachers.

In the days after the Albuquerque attack, parents argued on Facebook over why schools couldn’t just switch to pen and paper for things like attendance and grades.

Hager said he even heard criticism from his mother, a retired teacher.

“I said, ‘Mom, you can only record attendance on paper if you’ve printed your list to begin with,'” Hager said.

Teachers could also keep duplicate hard copies of all records, but that would double the office work that already bogs them down.

At a time when administrators are increasingly requiring teachers to record everything digitally, Hager says, “those systems should work.”