It was a warm mid-September morning and Jeff Pelzel was preparing for another day of school. Although theraged across Southern California, Pelzel, superintendent of the Newhall School District in the Santa Clarita Valley, had successfully transitioned nearly 6,000 students and teachers to virtual classrooms.
As he walked to the office, Pelzel checked his phone and noticed something strange. His email app, which was usually brimming with fresh messages, was empty. He tapped the browser and navigated to the school's webmail. Nothing. His palms began to sweat as powered on his PC. The warning that flashed across his screen was terrifying. In bold letters the message bluntly stated that his entire school district was locked up and offline. Pelzel shot a text message to IT, but he didn't need to wait for a response to know what was happening.
This spring, thousands of administrators, teachers and students weary from fighting COVID-19 face a new viral threat: ransomware. Cyberattacks and ransomware targeting schools hit record highs last year, with K-12 schools the top targeted sector. The average ransom is about $50,000, but the biggest hauls have topped $1.4 million.
Schools are now the most popular targets of ransomware attacks, according to the FBI. The total cost of cyberattacks targeting the education sector is difficult to estimate because many schools don't report attacks. According to a report from IBM, nearly one in every four cyberattacks in the U.S. involves ransomware. The total cost likely exceeds $123 million.
Why schools are a target
Several factors make schools and educators easy targets for ransomware. According to IBM, educators and students — already spread thin by virtual learning — lack training in how to deal with such attacks, while school funding for security is modest.
While most educators said they rely on virtual and remote learning tools, 60% of teachers say they have received no additional security training during the pandemic, and half of the respondents have not received any cybersecurity training. Most teachers get little tech support.
According to the FBI, cybercriminals are hitting schools with tools and tactics they initially found to be effective against businesses. The ZeuS trojan, for example, is malware that targets Microsoft Windows machines running on school computers and sends stolen data back to criminals' servers, where it is held hostage or sold on the dark web.
Funding is a critical roadblock that prevents school districts from investing in cybersecurity training and tools, said IBM's Chris Scott. School administrators are the most likely to be trained in cybersecurity, but districts lack the budget to also train teachers. In spite of the astronomical costs associated with ransomware attacks that target schools, most school districts don't have a cybersecurity insurance plan.
While most administrators agree that classroom spending should increase, they also agree that additional investments in IT would help protect teachers and students. More than a third of K-12 administrators say their school districts employ just one to three IT staffers.
It's unreasonable to expect educators and administrators to be cybersecurity experts, Scott said, but even underfunded IT departments can help educators by providing low-cost best-practice security training, in techniques like spotting malicious emails — the most common vector for a ransomware attack, according to Scott.
"Give [teachers] that moment to question and to understand the risk. When people know what to look for, they tend to make the right decision," Scott said. He recommends IT departments focus on simple techniques, like how to spot a phishing email and how to turn on and use two-factor authentication.
"Professional criminals are breaking in"
"My first thought was that the timing can't get any worse," Pelzel said of last year's ransomware attack. "The kids are reliant on [technology] for an education and now we don't have access to those devices."
But in the moments following the attack, Pelzel and his IT department made a series of hard but good decisions. He instructed his IT managers to immediately pull the systems down and transition to in-person learning and the cloud. The Newhall schools were offline for eight days.
Then he sprang into action. "We wanted to make sure that kids had grade-level appropriate materials. Our teachers came to the rally, the district office, the instructional services department," he said. Teachers and parents all pulled together to get multilingual books, pencils and even cloud-based Chromebooks into student's hands.
Pelzel thinks his school dodged a bullet. He is calling for federal and state leaders to crack down on cybercriminals targeting schools and to provide funding for schools to harden their cyber infrastructure.
"Professional criminals are breaking in and hacking school systems. This is happening to Fortune 500 companies who have millions of dollars [for cyberdefense]," Pelzel said. "How can you expect K-12 school districts who do not have those resources to prevent this from happening?"