‘Data-rich, resource-poor.’ Why Michigan schools can be a ‘soft target’ for ransomware attacks
JACKSON, MI – When the South Redford School District became the target of a cyber attack earlier this fall after a staff member clicked on a malware link, Superintendent Jason Bobrovetski credited the swift work of cyber forensic experts and the district’s technology service providers for preventing the attack from “turning into something greater.”
Even though students missed two days of school, Bobrovetski said the district’s network monitor with the Wayne Regional Educational Service Agency (RESA) had proactive measures in place to ensure the attack didn’t result in a ransomware incident, while cyber security experts were brought in to cleanse and restore functionality to the district’s network over several days.
It was a cumbersome process, he said, but it could have been worse.
“The number one thing that any organization, district or business can do is to look at and review what preventative measures they have in place, inclusive of their insurance policy as it pertains to cybersecurity,” Bobrovetski said of leaning on experts to resolve the issue.
With fewer resources to address these attacks, however, schools across the country have become prime targets of cyber attacks. Three federal agencies – the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) – released a joint advisory in September warning that a gang known as Vice Society are disproportionately targeting the education sector with ransomware attacks.
In Jackson and Hillsdale counties, a ransomware attack kept students in 20 school districts out of classes for three days this past week, as the Jackson County Intermediate School District continues to work with external cybersecurity advisors to restore the remainder of its secondary systems.
The attack was first reported to the Michigan State Police on Sunday, Nov. 13, said Lt. Mike Teachout. MSP, in collaboration with the FBI, is still actively investigating the attack, Teachout said. Little information about the nature of the attack and the identity of the perpetrators has been released, though Teachout said the attack was carried out by professionals.
While the K-12 schools are improving cybersecurity capabilities over time, they still lag behind other sectors when comparing cybersecurity coverage because they often have antiquated systems that make it difficult to protect themselves, said Karen Sorady, vice president of member engagement at the Center for Internet Security (CIS)
A recently-released report from the MS-ISAC, a part of CIS, found that 29% of its 3,500 member K-12 districts reported being victims of a cyber incident. The report also noted the average school spends less than 8% of its IT budget on cybersecurity, with one-in-five schools committing less than 1%.
“Schools are an attractive target as they are typically data-rich and resource-poor,” said Sorady, who formerly was New York’s chief information security officer. “Without proper resources in terms of dedicated staffing and the necessary tools and training to protect against cyber-attacks, schools can be a soft target.”
How an attack works
Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
“The idea is to interrupt functionality, so that you’re not able to work,” said Mike Johnson, CEO of Jackson-based Data Protection International, which provides security-based IT services.
When schools or other large entities are faced with a ransomware attack, the first step is understanding the scope of the compromise and where in the systems the ransomware lives, said Paul Grubbs, an assistant professor of Electrical Engineering and Computer Science at the University of Michigan.
From there, an organization needs to determine whether it will pay the ransom or not. If they do, they’ll receive some sort of decryption tool from the attackers and apply it to their systems to decrypt the data, said Grubbs, whose research is in applied cryptography, security and systems.
Perpetrators, who are typically of Russian or Eastern European descent, typically want the ransom paid in Bitcoin, Johnson said, noting he’s worked in cases where ransoms have been as low as $25,000 or $50,000 to as high as $10 million.
“In general, we say never pay the ransom, because it just encourages them to continue doing what they’re doing,” Johnson said.
While paying the ransom normally solves the problem, Grubbs said if you choose not to pay it, the road to recovering data gets harder. Systems need to be restored painstakingly through a backup. The ransomware itself also needs to be rooted out and destroyed, or the entire network could risk reinfection.
Newer forms of ransomware are “significantly more destructive” than the previous versions because they not only lock out devices and encrypt information, but they also steal information in the process, Johnson said, adding that in his experience, ransomware attacks are typically perpetrated by “very large criminal networks,” and rarely by individuals.
Johnson pointed out that cyber attacks don’t happen overnight or “when you become aware of them,” but can unfold over a process of months or even years until an intruder gets to the right level of access into a network to start mining or stealing data.
“When they get to the point where they’ve got all the information they need and all the critical elements that they need, then they start that destructive process where they’ll shut things down and get your attention,” Johnson said.
Threatening to dump sensitive data online also is an effective tactic for ransomware groups to ensure they get paid, said Thomas Holt, a professor in the School of Criminal Justice at Michigan State University.
Holt said K-12 schools might typically be the target of what is called an “affiliate model” of a cyber attack where a handful of individuals work together, with each member carrying out a specific aspect of the attack and profit sharing from any ransom that is collected, pointing to schools’ “variable” levels of IT security.
“They probably aren’t going to be able to pay a huge ransom, but they’ll pay enough to make it worth the while of three, four, maybe eight people,” said Holt, whose research focuses on computer hacking and malware. “You’re not necessarily going to have to put the same pressure points on a school district that you might on say like Monsanto or a major manufacturer or something like that.”
Assessing the damage, limiting the risk
Operating under a consortium model that provides technology services to school districts at a discounted cost, like the one in place in Jackson and Hillsdale counties, can have advantages and disadvantages, Grubbs said.
That’s based largely on the security presence the organization has in place. Having a large consortium that share software has a number of potential security benefits, he said, because it means that the entire organization can have a uniform security posture and they can receive updates to their systems at the same time.
“If the security posture of the whole consortium is bad, then it’s definitely worse to be a part of the consortium, because it’s a very attractive target and also it’s a very vulnerable one,” Grubbs said.
Holt said sharing resources can make it more difficult to respond to human vulnerabilities within the network that an in-house IT department is typically able to respond to more quickly.
With attackers becoming more sophisticated, preparation is key to responding to a ransomware incident, Sorady said, while educating individuals on cybersecurity can help an organization like a school be more equipped to handle an attack.
“Knowing who to call and what processes to follow in an attack is much easier if they have been laid out in advance and practiced,” she said. “Backups of critical data and systems are important to lessen the impact of a ransomware event. Keeping software up to date and having tools in place to protect the network, email and end-user devices will help to prevent and detect the introduction of malicious files into the environment.”
MLive staff writer Mitchell Kukulka contributed to this report.