As digital learning possibilities expand, school districts have become major ransomware targets. Throughout 2021, 162 school districts were the target of a cyber incident, and for the first time ever, ransomware was the most frequently reported attack.

Bad actors target K-12 schools knowing they receive limited cybersecurity funding yet maintain large repositories of personal identity data on their students and staff including medical records and social security numbers.

Additionally, the increase in login credentials needed by students, parents and teachers to access digital resources provided a broader attack surface to allow access to the school network and steal confidential information.

These attacks are disruptive. Schools are often forced to cancel classes to recover their network and data and they must issue new credentials to each individual on their network.

While the federal government has issued ransomware guidance for school districts, these outlines usually offer no funding, which limits schools’ ability to establish a robust IT workforce—and even with the best defense, attacks are still possible.

K–12 leaders should take steps now to prepare for the likelihood of a ransomware attack including educating their employees and parents, implementing a backup infrastructure and having a recovery plan in place.


Mitigating Risk: Education, Implementation and Recovery

Districts should prioritize user education, from IT staff to system users like students, teachers and parents. Attackers consistently target end users through network entry methods like remote desktop compromise, phishing and software vulnerabilities.

Parents with children in K-12 schools and K–12 staff are often the targets of emails encouraging them to click a link to learn more, whether it be for a student scholarship opportunity or to sign up for a weekly newsletter. Bad actors mimic these with phishing email.  Once the link is clicked, credentials are compromised, and the attackers can access the school district’s network to steal and ransom confidential district and student information. In fact, over 26% of ransomware attacks occurred as a result of phishing; a simple yet effective process focused on end users.

Educating the entire organization of this risk and how to avoid being a victim can significantly decrease the success of a ransomware attack. User education can take many forms—a simple education brochure, a training/learning course, or virtual simulations.

The next step should be to prepare for the worst and develop a secure backup and data protection strategy. Backups should be offline and inaccessible to most personnel to cut down on the risk of attack online and reduce attackers’ abilities to reach it via an end user. To further secure backups, organizations can implement micro segmentation and internal network firewalls.

As a strategy, schools should look to employ the 3-2-1-1-0 rule, a versatile data management approach that recommends having three copies of important data on at least two types of media, with at least one of the copies off-site. The off-site backup should be either air-gapped, offline, or immutable. Zero errors should be present in the backups once testing and recoverability verification is completed. These backups should be encrypted to provide supplemental security against evolving tactics and protection against insider threats.

When installing backup technology, school leadership must clarify what level of recovery they want. For example, they can choose technology that will replace the entire data system, only the most essential files or only information from selected applications. Having all three options is recommended as it will increase the likelihood of full data recovery in the event of an incident.

Lastly, schools should have a recovery plan in place and ensure that they are ready in case of attack by practicing an organized response. Ransomware attack simulations increase familiarity with recovery steps and the threat recognition process.

A strong recovery plan includes an efficient method of communication to employees, students and parents, and clear definition of the decision-makers in case of an attack. Schools should also inform the FBI so that the Bureau can immediately work to track the attackers.


The Future of Ransomware in Education

A recent warning issued by CISA and the FBI signals that ransomware attacks will not stagnate anytime soon, and that bad actors’ methods are evolving. Attackers recently started to leverage multiple techniques that allow them to avoid detection by masking their movement as a legitimate process and using “sleep timers” to avoid acting during a routine security analysis. These tactics provide more time to expand into additional devices and networks, therefore increasing the damage.

With a recovery plan, a backup infrastructure and strong user education on cyber risks, K–12 schools will be better equipped to fight ransomware attacks.  As bad actors continue to target schools, leaders should act now to ensure they keep student and staff data secure and are not forced to halt children’s education due to an attack.


About the author

Rick Vanover is an expert in intelligent data management and backup. In his role at Veeam, Rick sits at the crossroads of many types of storage. Whether it is storage systems, critical application data, data in the cloud or data anywhere in between; Rick has experience in the data management practice as IT practices change with new technologies. Follow Rick on Twitter @RickVanover.