Feb 21, 2022

Schools increasingly targeted by cyber attacks

Posted Feb 21, 2022 12:01 PM

Hays Post

The repercussions of a recent ransomware attack against Hays USD 489 is yet to be fully known.

However, a USD 489 parent and cybersecurity expert at Fort Hays State University spoke to Hays Post about the attack and offered practical tips to parents and students about how to avoid being victims in the future.

Jason Zeller, assistant professor in the Department of Informatics, said ransomware attacks are usually about money.

Zeller, who has a student at Hays High School, told his son not to log into the Hays USD 489 WiFi since the system has been compromised. Doing so could infect cellphones, laptops or other private devices that connect to the network, he said.

Zeller said, in general, he recommends users never to use public hotspots. Don’t go into a coffee shop and use their WiFi, he said.

Schools in the crosshairs

It is not uncommon for schools to be targeted by attackers, said Tim Medin of Red Siege, a cybersecurity firm. In 2020, there were 408 publicly disclosed cyber attacks on K-12 public schools or districts, which was an 18 percent increase from 2019.

Park Hill school district in Kansas City was the victim of a ransomware attack in March 2021. That district had to cancel school for a day because of the attack.

The issue of cybersecurity was addressed at a state board of education meeting in January. An audit report found 58 percent of Kansas school districts don’t require security awareness training and 63 percent don’t annually assess IT security risks.

What happens in a ransomware attack?

In a ransomware attack, hackers typically confiscate data, and then the business or agency has to pay in order to get that information back, Zeller said

Hackers usually request payment in crypto currency because it is more difficult to trace.

“The thing about ransomware is that most people can avoid it by having secure backups,” Zeller said. “If something like that happens, you just back up everything and it’s no big deal.”

However, often the backups are on the same networks and they’re not secure, which gives the attackers opportunity to encrypt the backup as well, he said.

There is always the potential in an attack such as this for an attacker to take personal data and sell it on the dark web, Zeller said.

Information, such as birthdates and Social Security numbers, could be used in identity theft.

“Usually what they’re after is not student information — my son’s information,” Zeller said. “I’m not too concerned about that, but making sure that my son is aware and educated as to what this is, because this isn’t going to be the only time he sees it.

“He’s been the victim of other types of cyber attacks, and I’m the cybersecurity professor.”

To pay or not to pay

Many companies and organizations are now paying for cyber insurance policies. If the entity is hit with an attack, the insurance company pays the ransom.

If a ransom is not paid, attackers will usually do one of a couple of things, Zeller said. They will usually wipe the drives of all the data or they will sell the data on dark web in attempts to make some money for their efforts.

Payment of a ransom is no guarantee that information won’t still be sold on the dark web, Zeller said.

Zeller said paying a ransom is a double-edged sword. It does encourage attackers to continue to hack into companies. However, it may be more palatable than losing the data.

Medin, an international speaker on cybersecurity, said a decision to pay a ransom is not an easy ethical or moral decision.

“In an ideal world, no one pays the ransom. If no one pays, there isn’t an incentive for any of the ransomware business model,” he said. “The problem is many organizations have no choice but to pay. …

“That said, if much of the money and effort was proactive and spent on defending the systems before the attack, many attacks wouldn’t happen and it could defund portions of the ransomware ecosystem.”

District quiet on attack

Hays Post reached out several times to the Hays USD 489 administration to learn more about the attack, including if the ransom was paid, what system and data was compromised and what steps the district was taking to prevent future attacks. The school district has declined to comment on Hays Post's questions.

Although the attack occurred Thursday, Feb. 10, the public was not notified until the following Tuesday.

Hays Post tried to determine if a law enforcement agency was investigating this case. The Ellis County Sheriff’s Office and the Kansas Bureau of investigation said they were not involved in the case.

The Kansas City Bureau of the FBI said it could neither confirm nor deny its involvement in the case.

Small communities not safe

Small business and small communities are no longer immune to these types of attacks, Zeller said. He said the attackers will target anyone they think will pay.

Unfortunately, schools might not have the same IT and security budgets as businesses of the same size, Medin said.

It’s very easy to be infected with ransomware, Zeller said. Attackers usually target people within the system with phishing emails and infiltrate the system when a student or staff member downloads an infected file.

“What I train students here is that it’s mostly social engineering,” Zeller said. “I could spend all day trying to break into the firewalls of the servers and all the equipment. It’s much easier to for me to hack a person than it is to hack a server.”

Ransomware doesn’t occur overnight, Zeller said. The initial hack of the system could have happened some time ago.

Ransomware attacks can come from anywhere in the world and are difficult to track. Zeller said some foreign militaries have warehouses full of people doing nothing but attempting to hack systems for data.

Medin said a recent report indicated 75 percent of stolen cryptocurrency from ransomware attacks went to Russia in 2021.

Preventing attacks

Because ransomware attacks are becoming more common, Zeller said many companies and agencies are requiring their employees to take cybersecurity classes. Many insurance companies offering cyber attack insurance are requiring it.

FHSU is organizing some cyber security workshops for this summer.

The other side is making sure that your organization’s networking core is secure, Zeller said.

It’s important for everyone to understand what ransomware attacks are, as well as know what phishing or spear phising attacks might look like.

Phishing is usually a generic attempt to get the user to click on a link or download a corrupt file.

Spear phishing usually entails the attacker pretending to be a friend, colleague or trusted business to gain information or infiltrate a business, Zeller said.

If the request seems odd or the language seems odd, check it out, he said. You can also check to see if the email address matches the person it says it is coming from.

Prevention is much less expensive than paying a ransom or dealing with an attack once it’s happening. Students that Zeller trains are paid $100 to $200 an hour upon leaving the FHSU program.

Cover photo courtesy of Pixabay