School cyberattacks are on the rise. Between August and September of this year, educational organizations were the target of more than 5.8 million malware attacks, accounting for more than half of all such attacks. Along with retail companies, educational institutions were the most likely to be targeted by ransomware attacks, according to a survey conducted by Sophos, an IT security company.
While a shift to remote learning during the pandemic may have made some attacks easier, cyber crimes have become more common in general over the past decade, says Conor Phoenix, supervisory special agent for the FBI.
The nature of the attacks has also changed, says Phoenix, who supervises the seven agents who make up the cyber squad of the FBI’s New Haven Field Office. Prior to the pandemic, swatting incidents and denial of service attacks were the most common. “In the last handful of years, ransomware is certainly the number one issue that will get reported to us by school districts,” Phoenix says.
Phoenix recently spoke to Tech & Learning about how cyber crimes against schools are conducted and shared tips for safeguarding your school against them.
Who is Responsible for School Cyberattacks?
Perpetrators of school cyberattacks range from individuals to international criminal organizations. Sometimes students even launch denial of service attacks against school systems. “It's something that a student with some computer background could be familiar with,” Phoenix says. Because this kind of attack requires only limited sophistication, students will launch one for reasons as trivial as hoping to postpone a test for which they have not studied. Ransomware attacks, on the other hand, are most commonly launched by criminal organizations outside of the U.S.
The FBI works hand-in-hand with the U.S. Attorney’s office while investigating cyber crimes, which helps determine the types of cyberattacks on schools they investigate. “For example, a denial of service attack that we were able to determine was [launched by] a student, that is not going to be taken any further by the FBI, or by the U.S. Attorney's Office,” Phoenix says. “But a ransomware incident absolutely would be.”
Phoenix’s cyber squad primarily handles cyberattacks against schools in Connecticut but works closely with other field offices.
“There are many variants of ransomware that are deployed against victims. Those are controlled by different sets of actors. And so for efficiency, we typically have one or two offices that might focus on any one variant,” Phoenix says. “Here in Connecticut, my office focuses on two separate investigations on two different variants of ransomware and the actors behind those.”
Another example is investigations into Conti ransomware, which is one of the most common types of ransomware used in attacks nationwide and was launched by Wizard Spider, a hacker group located in Russia. “That's investigated by two of our offices outside of Connecticut, but if there is someone who's been victimized by Conti, I know who the case agents are, my agents can talk to them, figure out what type of intelligence we can share with the victim so they can go through their own network and figure out, ‘Have we identified a point of origin for the intrusion?’ Once we've remediated this, can we be confident that we've removed it out of our system?”
“Then there's a law enforcement component where we're also trying to gather evidence,” Phoenix adds. “Once a victim is able to get past that immediate phase of incident response, we are trying to gather information so that we can continue to pursue those actors and hopefully, ultimately bring them to justice.”
Protecting Your School From Cyberattacks
Ransomware attacks tend to get into a victim’s network by either gaining access through a vulnerability in remote desktop protocol ports or via phishing emails. Preventing a remote desktop protocol intruder, often comes down to basic network hygiene. “It's making sure you don't have any remote open access that you don't absolutely need,” Phoenix says. “All computer systems will have vulnerabilities. If there's some appliance or software you're using that has a vulnerability and has a patch available, make sure that you apply that patch as quickly as possible to enhance your security.”
As for protecting against phishing emails, that is all about educating your staff. “Make sure that they can recognize a suspicious email when they see it and then know what to do with it,” Phoenix says. “Even in my own organization, we have annual information security training. One component of that has to do with phishing emails.” This is very basic, Phoenix says, but will go a long way to protecting a school district from becoming a victim.
However, no prevention methods are 100 percent impenetrable. Consequently, schools should develop an incident response plan to prepare for an attack and establish protocols for what to do when it occurs.
One part of preparing for the worst is having a backup system in place, a practice that is becoming more common as ransomware attacks increase in frequency. “I would often encounter victims who either didn't have backups, or if they did, which would have been the minority a few years ago, the backups would have been connected to the network, and then also likely encrypted as well,” Phoenix says. “But I am seeing a shift toward having backups that are separate and apart from the main network of the institution or organization. That's been extremely helpful in allowing victims to not feel compelled to pay a ransom because we're able to within maybe two or three days get their systems back up and running based on the backups.”
Getting to know local law enforcement agencies before an attack can also be helpful, as it can help schools plan who to contact when an attack occurs. While different FBI field offices respond to crimes in different regions of the U.S., the bureau has set up C3.gov, an online clearinghouse for all cybercrimes.
Even if a school plans on paying a ransom to retrieve its data, the authorities should be contacted.
“The FBI's position is, in general, that we do not encourage payment of ransom in these types of situations. That being said, I understand that from a victim perspective, that's not always feasible,” Phoenix says. “We've been dealing with these groups for some time, so we'll have information, whether it's information about the tactics of the group, or it might be information on something as simple as, ‘Well listen, if you pay this one particular group, you're not likely to get a decryption key.’”