The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Schools are another prime ransomware target


with Aaron Schaffer

K-12 schools are getting hit with a barrage of ransomware attacks, worsening the damage to children’s education brought on by the pandemic and hurting their ability to return to some semblance of normalcy in the fall. 

It’s part of a surge in attacks by hackers demanding ransom payments that has halted operations at critical industries across the nation and become a key national security concern for the Biden administration. 

Schools are facing these attacks with poorer cyber defenses than many private companies and with far more vulnerabilities that hackers could exploit. That’s especially true for schools that will still be operating at least partly remotely in the fall because every remote student’s laptop is an entry point for hackers to worm their way in and infect an entire school’s computer networks.

“All those students and teachers on their computers just dramatically opens up the attack surface,” Josh Moulin, an executive at the Center for Internet Security, or CIS, told me, using an industry term for the number of computers hackers can target to break into an organization. 

CIS runs the Multi-State Information Sharing and Analysis Center (MS-ISAC), a federally funded organization tasked with helping improve cybersecurity for state, local and tribal government entities, including public schools. 

That group saw a 19 percent increase in ransomware and other cyberattacks targeting K-12 schools between 2019 and 2020. It's projecting a whopping 86 percent increase in 2021. MS-ISAC’s emergency response team has been called into more than 100 ransomware attacks at K-12 schools since it started offering that service in 2018. 

“School’s already been disrupted enough, as has life in general, and adding a ransomware attack just compounds the problem,” Moulin said. 

President Biden has made reducing ransomware attacks a key priority in the U.S. relationship with Russia, where most ransomware gangs operate. 

In a call Friday with Russian President Vladimir Putin, he pledged to impose consequences if Russia doesn’t rein in the criminal ransomware gangs operating there, Ellen Nakashima reports

The call was prompted by the largest known ransomware attack to date, which impacted up to 1,500 small businesses and other organizations. It followed a number of brazen attacks against U.S. critical infrastructure, including the Colonial Pipeline and the meat processor JBS. 

The rising tide of ransomware strikes against schools has drawn far less public scrutiny than those high-profile attacks. And education is not listed among the 16 critical infrastructure sectors that Biden has demanded that Russia place off limits from government and criminal hacking. 

But the costs have been severe

A ransomware attack shut down Baltimore County schools for several days in November 2020 and other prominent attacks have hit schools in Miami, Toledo and Huntsville, Ala. 

“This is a big deal for the availability of our schools to educate our children,” Moulin said. 

Even before the pandemic, schools were embracing technology more quickly than they were developing cybersecurity protections for it. 

That situation got far worse when schools shifted to remote and hybrid learning last year. 

That gap in protections is often worse at schools with less funding and in lower-income districts that have less money to invest in cybersecurity

“At less fortunate or smaller schools, many of the IT guys wear multiple hats. If it has a plug in it or it takes electricity, it’s their problem and they’re not always well versed in cyber,” John Wargo, director of technology for the Central Susquehanna Intermediate Unit, a regional public education group in Pennsylvania that receives services from the MS-ISAC, told me. 

MS-ISAC offers a suite of free cybersecurity tools to K-12 institutions across the nation, but only about 2,600 schools are taking advantage of that so far. In other cases, similar cybersecurity resources are offered by states and school districts and some larger districts contract with cybersecurity companies. 

Ransomware groups may also target schools because they think they’ll be desperate to start classes again and more likely to pay a ransom, Moulin said. 

There’s no reliable data for how often schools pay ransom demands, though there are some high-profile cases in which hackers punished schools for refusing to pay. For example, hackers posted 26,000 files from the Broward County, Fla., school district online after it refused to pay a ransom. 

MS-ISAC urges schools not to pay ransoms, Moulin said, a position that’s also held by the FBI and the Department of Homeland Security.

There’s also an added bonus for hackers that target schools stealing the personal information of students and teachers.

Students’ personal information is especially valuable for identity thieves and scammers because they’re less likely to notice that someone is using their identity to commit fraud if they don’t yet have bank accounts or credit cards that might be alerted.

“[Hackers] have found this is the perfect type of data to steal because most people don’t look at their kids’ credit until it’s too late,” Wargo said, “when they go to apply for college and suddenly realize they own a house somewhere.”

Hill happenings

Republican lawmakers want the Biden administration to add a Chinese chipmaker to a trade blacklist.

Two Republican lawmakers are pressing Commerce Secretary Gina Raimondo to place export controls on the Chinese chipmaker Yangtze Memory Technologies (YMTC), according to a letter obtained by my colleague Ellen Nakashima.

Rep. Michael McCaul (R-Tex.), top Republican on the House Foreign Affairs Committee, and Sen. Bill Hagerty (R-Tenn.), a former U.S. ambassador to Japan, urged Raimondo to place the state-owned national champion on the Commerce Department’s Entity List, a trade blacklist that would block U.S. technology sales to YMTC unless companies receive a license. Both men sit on committees that have jurisdiction over export controls.

The concern is that YMTC will help the Chinese government use unfair trade practices to squeeze U.S. competitors out of the memory-chip market, which could lead to a reliance on Chinese chips that puts U.S. national security at risk.

The semiconductor chips YMTC makes have defense, artificial intelligence and aerospace applications, McCaul and Hagerty write. And YMTC’s leadership has “extensive ties" to the Chinese government, they say. That includes YMTC executives who were previously employed at the Semiconductor Manufacturing International Corp. SMIC was added to the Entity List in December, with a warning that exports to the firm could benefit the Chinese military. YMTC also is linked to the Chinese military through a complex corporate network, they write.

The keys

Kaseya spurned cybersecurity warnings in the years before a major ransomware hack, former employees said.

The former employees say they flagged glaring issues in the company’s cybersecurity practices from 2017 to 2020 but were largely ignored, Bloomberg News’s Ryan Gallagher and Andrew Martin report. The company also didn’t change its cybersecurity posture after hackers used its software to deploy ransomware in 2018 and 2019, three former employees said.

A company spokesperson declined to comment.

Former employees of SolarWinds, Verkada and JBS have raised similar concerns that cybersecurity wasn’t taken seriously enough before major hacks hit those firms.

Robert Graham, founder of the cybersecurity firm Errata Security, took a contrary view. Details here:

Hackers allegedly targeted Iran’s transportation sector over the weekend.

Hackers allegedly changed signs to say that trains were delayed, though the country’s government-run railroad company said trains were operating as normal, Reuters reports. A website belonging to the Iranian Transportation Ministry was also taken down in a “cyber disruption,” state media reported.

Iran’s telecommunications minister, Mohammad-Javad Azari Jahromi, warned of ransomware attacks targeting outdated systems in the country.

Chinese regulators plan to review companies’ data security practices before they’re listed on foreign stock exchanges. 

The regulators will review companies that have data on more than 1 million users before they can sell stock outside of China, Josh Horwitz of Reuters reports. The concern is that listing on foreign stock exchanges could raise risks of Chinese citizensdata being controlled or manipulated by foreign governments, the Cyberspace Administration of China said.

The move comes in the wake of a regulatory clampdown on Chinese ride-share giant Didi just days after it went public in the United States. Chinese regulators took the app off Chinese app stores, with the company saying it expected the move to “have an adverse impact on its revenue in China.” 

Chinese regulators suggested the company delay going on the New York Stock Exchange and review its security practices, the Wall Street Journal’s Lingling Wei and Keith Zhai reported last week.

Lobbying report

  • Former congressman Greg Laughlin (R-Tex.) has registered to lobby for Israeli cyber surveillance firm NSO Group. Two of his colleagues at the law firm Pillsbury Winthrop Shaw Pittman, Craig Saperstein and Elizabeth Moeller, also registered to work for the company. They're joining Brian Finch on the six-month, $450,000 account.
  • Consulting firm J.S. Held’s Frank Holder and Bill Marquardt have registered to lobby for Chinese telecom giant Huawei. They plan to lobby on issues including export controls and sanctions, according to a lobbying registration that was effective July 1. J.S. Held is the fourth firm that has registered to lobby for the embattled company this month.

Securing the ballot

Bolsonaro wages Trumpian campaign to sow doubts about voting (Bloomberg)

Cyber Ninjas play by an alarmingly different set of election audit rules (The Arizona Republic)

Global cyberspace

Ukraine says Russian hackers hit its Navy website (Reuters)

China drafts new cyber-security industry plan (Reuters)

Cyber insecurity

Hacker risks jail to out Middlebury College employee for alleged child porn (The Daily Beast)

'Barely able to keep up': America's cyberwarriors are spread thin by attacks (NBC News)

Fallout from hack of city Law Department could linger for months (New York Times)

Feds indict ‘The Bull’ for selling insider trading info on the dark web (The Verge)

Encryption wars

We got the phone the FBI secretly sold to criminals (Motherboard)

Chat room

Security researcher Jack Cable launched a website to track ransomware payments.

The Institute for Security and Technology’s Leah Walker:

Here are more details from CyberScoop's Tim Starks


  • Carnegie Mellon University’s Center for Informed Democracy and Social-Cybersecurity kicks off its two-day annual conference today.
  • A House Appropriations Committee panel discusses Homeland Security appropriations at 10 a.m. Tuesday.
  • Defending Digital Campaigns hosts a cybersecurity training event for Oregon campaign and election officials at 2 p.m. Tuesday.
  • A House Judiciary Committee panel holds a hearing on federal law enforcement agencies’ use of facial recognition technology at 10 a.m. Tuesday.
  • Estonian Prime Minister Kaja Kallas discusses international collaboration to secure digital infrastructure at 2 p.m. Wednesday at an Atlantic Council event.
  • The Senate Commerce Committee holds a hearing on supply chain resiliency on Thursday at 10:30 a.m.
  • The Internet Governance Forum USA conference hosts panels on supply chain security and securing the Internet of Things on Thursday at 10:30 a.m. and 12:15 p.m.
  • The House Homeland Security Committee holds a hearing Thursday at noon on changes to the Department of Homeland Security to meet today’s threats.

Secure log off