Ransomware attackers’ favorite target used to be big corporations. Then, last year, they shifted to attacking public institutions like hospitals and state and local government offices. Now, it's educational providers that are top of the target list for criminals. Tellingly, ransomware attacks on schools increased in 2022, while attacks on every other sector declined.

For anyone working in the school system, this focus on schools and other educational institutions as top targets for ransomware might seem odd. Educational institutions don’t tend to have the money to pay big ransoms. So what’s the point of breaking into them?

To start with, not all attacks are financially motivated. Some cybercriminals are simply out to cause chaos. Forcing schools to cancel classes is one way to do that. As the Chief Information Security Officer at Seattle Public Schools noted earlier this year, if schools go offline and parents can’t go to work, that can have a severe impact on the local economy.

Secondly, there’s value in data, especially the kind of data that can be stolen from school networks. Sensitive personal information can be sold on the dark web or used in other attacks, like financial fraud or identity theft against teachers and students. It can also be used in fraud against other organizations the schools are in some way connected to.

Thirdly, ransomware attackers like to attack targets that have a low tolerance for downtime but weak defenses. Schools are the perfect fit: most don’t have the budget for security. The vast majority of schools are also underprepared culturally.

As the list of educational institutions that have fallen victim to ransomware grows, schools are beginning to realize the massive consequences that ransomware attacks can have on their operations. At the same time, no one really knows where to start with securing school networks.

There’s a common belief that you need to buy some kind of expensive security software to stop ransomware attacks from happening. But this couldn’t be further from the truth.

The reality is that most cyberattacks, including ransomware, occur through social engineering, i.e., tricking people. Phishing emails, where cybercriminals convince recipients to click on a malicious link or download a malicious attachment, are the most common ransomware delivery method.

Email software might be able to catch the most blatant examples of phishing, but it won’t stop the more personalized attacks, i.e., emails that use a target’s personal information against them. As our digital footprints grow, these personalized phishing attacks, also known as “spear phishing,” are on the rise.

What really hardens organizations against cybercrime is positive behavioral change. Schools need to teach their faculty and students about how social engineering happens and what they can do to make themselves less attractive targets.

Knowing what phishing emails look like is a good place to start. Here, phishing simulations are useful, but they need to happen continuously to be effective.

Because most successful phishing emails rely on personal information to work, it’s also imperative to think about where this data exists on the internet. Ransomware attackers don’t need to go to the dark web to find information that will make their emails look believable to teachers and students. The information they need already exists on the surface web, i.e., the internet we use daily.

More often than not, a simple Google search of someone’s name will return a ton of exploitable data. From their social media profiles to people search websites and public records, there’s no shortage of personal information sources that threat actors can work with.

Minimizing the amount of personal information that’s available about staff and students online is, therefore, key to reducing the risk of ransomware in schools. Good practices here include:

Using fewer online platforms. The more online accounts staff and students have, the more ways they have to exploit them. For example, think of all the ways a ransomware attacker could try to trick a teacher if they can see what they post on Facebook, plus their wishlist on Etsy and/or Amazon, and that they donated to a cause that’s important to them on GoFundMe.

Being wary of oversharing on social media. There’s a case to be made for making social media profiles private and being careful of who’s added as a “friend.”

Opting out of data brokers and people search sites. In the past, it could take cybercriminals hours, if not days, to research their targets. Today, they can buy everything known about a particular person through a data broker or people search site. These sites collect people’s data from various sources and then sell it as part of a comprehensive profile to anyone wanting to buy it for just a few dollars. Information within these profiles can include contact details (professional and personal), family information (if they’re married and have kids, etc.), and more. The bad news is that this is totally legal. The good news is that many people search sites let people opt out of their databases, and there are services that can do it on individuals’ and organizations’ behalf.

Using an alias. One way to more safely participate in online communities or open up new online accounts is by using an alias and masked email and phone addresses. Obscuring personal information will make it harder for both cybercriminals and people search sites to make a connection between different online accounts.

Attackers are counting on being able to find targets’ information online to trick them into enabling ransomware. By being aware of their online footprint and taking steps to shrink it, educators and students can significantly reduce the risk of attacks happening - or, at the very least, succeeding.

About the author

Shavell-Rob.jpg

Rob Shavell is CEO of DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).