Malicious actors are targeting K-12 schools with a strong increase in ransomware attacks and other cyber threats, according to a Joint Cybersecurity Advisory released December 10 by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The Joint Cybersecurity Advisory highlights several threats facing K-12 systems, with the strongest emphasis on an increase in ransomware attacks. Schools accounted for 57 percent of ransomware incidents reported to MS-ISAC in August and September, compared to 28 percent in the earlier months of 2020.
“In these attacks, malicious cyber actors target school computer systems, slowing access, and – in some instances – rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen – and threatened to leak – confidential student data to the public unless institutions pay a ransom,” the notice states.
The rise in attacks comes in concert with the ramp-up of distance learning for the 2020-2021 school year, opening other threat venues as well. The notice highlighted the top 10 strains of malware (while noting that they are not specifically targeted at schools), the disruptions of DDoS attacks, and video-conference disruptions as other threats that are hitting K-12 institutions. In addition to these challenges, the notice emphasizes that normal threats such as open ports, end-of-life software, and social engineering are still ongoing issues for K-12 cyber professionals.
“Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments,” the agencies write.
The notice includes a number of best practices and resources for schools, and recommends that schools not pay ransoms. Districts are also encouraged to maintain business continuity plans, review patching plans, and examine how third-party vendors have previously addressed cybersecurity incidents.