Ransomware Strikes 49 School Districts & Colleges in 2019

The education sector has seen 10 new victims in the past nine days alone, underscoring a consistent trend throughout 2019.

Education is a hot target for ransomware: Nearly 50 school districts and colleges have been hit in 2019 so far, and more than 500 individual K-12 schools have potentially been compromised.
Cloud security firm Armor has been tracking publicly disclosed ransomware attacks since January 2019. Of the 182 total victim organizations this year, 49 have been educational institutions. This makes education the second-largest pool of victims by industry, following municipalities at 70 victims, and ahead of third-place healthcare, which reported 27 victims.
Ransomware creates a sense of urgency, says Chris Hinkley, head of Armors Threat Resistance Unit (TRU). In schools, municipalities, and other public-facing institutions with infrastructure critical to their communities, the pressure to stay up and running after an incident is high. Criminals know they cant afford to shut down — and may be more likely to pay up. Whether a school pays depends on its backups, breadth of impact, and number of networks affected.
When those organizations are down, especially a school, youre losing out on a lot of money, but youre also impacting a huge amount of people: teachers, administrators, and most importantly, the students, he adds. When New Yorks Monroe-Woodbury Central School District was hit with ransomware
this month
, it was forced to delay the start of its school year. The district wont have access to computers, Wi-Fi, or smart boards until recovery is complete.
Many government organizations, especially schools, are going to be behind the curve, relatively speaking, when it comes to new and protective technologies, says Hinkley. They likely will run older operating systems or fall behind on patching, simply because they lack the manpower and expertise needed to stay current. The prevalence of vulnerable software and infrastructure in education makes it easier for attackers to get onto schools infrastructure.
Victim schools and districts span the United States,
TRU reports
: The most recent victim districts were in Missouri, Pennsylvania, Ohio, Nebraska, Illinois, and Florida. Connecticut has the highest concentration of ransomware targets, with seven districts and up to 104 schools potentially affected.
Most of the victims, I believe, are targets of opportunity, says Hinkley. An attacker may have known and contacted a student, for example, or found a vulnerability on the schools network. Its still unknown how many of these intruders planted ransomware in targets environments.
Back-to-School Shopping
Crowder College of Neosho, Missouri, reported a ransomware attack on September 11. Investigators found evidence indicating the attacker had been inside the schools systems since November 2018.
While it has not been confirmed how Crowders intruder gained access, Hinkley suggests they could have purchased both the malware and/or the unauthorized access on the black market. Its something were seeing a lot of, he says.
Researchers who produced Armors Black Market Report
found
ransomware sold on the Dark Web as a standalone product, as well as ransomware-as-a-service, making it easy for novices to jump into the game. Many sellers of ransomware-as-a-service do the work: They provide the malware and a panel for the customer to enter a ransom message; it then generates a unique wallet address for each victim. The buyer simply has to get it onto their target system of choice.
Its removing a lot of the technical expertise that was previously required to carry out one of these attacks, Hinkley says. Cybercriminals also sell credentials to Remote Desktop Protocol servers, researchers found, and this is a common vector for multiple ransomware families.
Many of the attacks against districts and individual schools have used Ryuk ransomware, which is also commonly seen in campaigns against municipalities. Its typically proceeded by Emotet and TrickBot Trojans, which lay the foundation for networkwide compromise, TRU reports. Hinkley points out that the ransomware of choice usually depends on the deployment: Some ransomware is meant to be distributed by attackers inside the target infrastructure, he says; some is meant to be executed via social engineering techniques on the part of the end user.
Ransom Is Rising
The security industry has long pushed back against paying ransomware operators, with fear of motivating further attacks. Unfortunately, some schools are left with no other choice. New Yorks Rockville Center School District
recently
paid $88,000 following a ransomware campaign.
Demands are getting higher: The attacker who hit Crowder College demanded $1.6 million in ransom; its not confirmed whether the school plans to pay. Monroe College in New York, which was hit with ransomware in July, received a $2 million ransom demand — the first million-dollar ransom TRU saw for an educational institution before Crowder was attacked later in the year.
Hinkley hypothesizes the rise in ransom demands could be linked to cyber insurance, as the financial risk of an attack is off-loaded onto a third party. While cyber insurance was not created for ransomware, this appears to be one of the more prominent uses for insurance coverage.
Homework for Schools and Districts
The top preparation and recovery step that schools should take is creating multiple backups of their critical data, applications, and application platforms. Its not enough to simply back up the data, Hinkley points out; schools should also be testing their backups to ensure theyre ready to go.
Ive also seen organizations that have had robust backup plans but they didnt test them, so the backup didnt restructure, he explains. Testing those backups is equally as important. Schools should also practice detection and response mechanisms to recover from an incident.
On top of that, Hinkley advises strong vulnerability management: Understand the assets in your infrastructure and what impact they have on the organization, and manage software updates.
Training is also essential. Software and hardware aside, schools are an easy target because of the people. Hundreds of kids are using machines and likely have a more relaxed approach to cybersecurity because they simply dont know any better. Educating everyone — students, teachers, administrators — is essential for protecting a school from the effects of ransomware.
Related Content:
Cybercriminals Black Market Pricing Guide
A Safer IoT Future Must Be a Joint Effort
Metasploit Creator HD Moores Latest Hack: IT Assets
The 20 Worst Metrics in Cybersecurity

Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
The 20 Worst Metrics in Cybersecurity
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ransomware Strikes 49 School Districts & Colleges in 2019