On Monday, the School District of Janesville announced on its Facebook page that the district’s servers had been hit with what looked like a ransomware attack.
Over the weekend, IT workers had noticed irregularities in the district’s system code. The attack locked servers and temporarily brought down the wi-fi, though the district said Tuesday that its internet was back up.
The incident is just the latest in a rising number of ransomware attacks on city governments and school districts. As of August, 58 attacks had hit 58 school districts and education organizations nationwide, including 830 individual schools. There were 84 incidents in 2020.
Doug Levin, national director of the school cybersecurity organization K12 Security Information Exchange, said districts are appealing targets for several reasons – they often have the one of the largest budgets in the community, making them an appealing financial target; but are also often financially under-resourced, meaning their technology might not have all the latest updates to prevent breaches. They also have an incentive to pay so they’re up and running again quickly.
"Parents and members of the community see schools as an essential resource, so there’s very little tolerance for downtime in schools brought about by incidents like this," Levin said.
The School District of Janesville said on Facebook that it’s working with the Wisconsin Division of Enterprise Technology Cyber Response Team, the FBI and the U.S. Department of Homeland Security to get to the bottom of the attack and restore access to all of its systems. The Division of Enterprise Technology deferred comment to the school district, and the School District of Janesville declined to be interviewed and referred WPR to its Facebook posts.
In a Facebook post, the district said no student data had been compromised. However, the data school districts store is another reason they’re attractive targets — schools store employees’ and students’ personal information, including Social Security numbers. For hackers interested in identity theft, those can be a gold mine — most students are years out from applying for credit cards, student loans, housing or other things that prompt them to check their credit.
"Criminal actors can abuse the credit records of young children for years before someone may catch on, and really do tremendous damage to students’ credit records," said Levin.
The Kenosha Unified School District experienced a similar hack in 2018, when malware from the Russian Federation deactivated hundreds of Kenosha Unified laptops and tablets at Indian Trail High School and Tremper High School.
"Coincidentally, we were working with one of our vendors on new detection technologies specifically for cybersecurity attacks, and they had one of their appliances onsite that they activated where they just let it sit on the network and monitor traffic," recalled Kris Keckler, chief information officer for the Kenosha district. "Literally within 15 to 20 minutes, their utility started to identify some anomalies, and within that probably 20 to 30 minute timeline, we had about 1,000 devices that immediately locked up."
One of the things that potentially opened Kenosha up to such a hack was that schools were hanging on to outdated technology. Keckler said the district has a schedule for getting rid of old computers, tablets and devices, but staff were reluctant to offload some devices that still seemed to work fine.
"Unfortunately, a couple of schools had thought 'Oh, I know those machines are old, but they still seem to be doing OK, but we’ll keep them in,'" said Keckler. "Well, those machines, as they go past their life expectancy and support parameters, can’t readily take software updates, security updates, and they become a liability.”
The district was able to get back up and running by "re-imaging" the newer devices — wiping them, reloading software and starting over, said Keith Ebner, network manager at KUSD. However, the breach came right before annual spring online student assessments, which meant the schools had to scramble for alternatives.
Sign up for daily news!
Stay informed with WPR's email newsletter.
Since the 2018 incident, KUSD has been much more stringent about phasing out old devices. As the district moved to a 1-to-1 students-to-devices ratio, Keckler and Ebner say they’ve been particularly mindful of making sure those devices, and the rest of the district’s technology, are safe.
"We moved to different types of next-generation firewalls, we’re using more updated technology, we’re using (artificial intelligence) antivirus software," said Ebner.
Keckler said the school’s IT team also sends fake phishing emails as tests, to see which employees click on suspicious links and hopefully make them more aware of the consequences if they clicked on a real phishing attempt. One of Ebner’s favorite dummy emails included a fake link to "the world’s best Butterball turkey recipe."
On the prevention side, Levin, with K12 SIX, said schools should also be mindful of their insurance plans, many of which have cybersecurity riders meant to help districts if they’re attacked.
School District of Janesville spokesman Patrick Gasper confirmed in an email that Janesville has cyber insurance, and that the district has been in touch with its insurance agent about the incident.
Keckler said Kenosha’s policy in 2018 and now included cybersecurity provisions, and that the IT team has sat in on meetings with the insurance agent to understand what’s covered — but that they don’t always help in the way districts need them to, so he said districts should pay careful attention to what it does and doesn’t include.
For example, he said that one of the first places Wisconsin districts turn to when their systems are compromised is the Wisconsin Division of Enterprise Technology Cyber Response Team, as Janesville did this week, because the team has a lot of specialized cybersecurity expertise that they provide for free.
"There’s insurance policies that say, if you use somebody who isn’t recognized through our department and office, you negate the entire policy," Keckler said. “But they’re a free service, and they know what they’re doing, and they can get to us faster than (insurance) can."
When districts get hit by bad actors, their options are limited. Levin said they should shut down as much of the system as possible to prevent the ransomware from spreading, and then slowly bring what they can back online from backups. Like Janesville, they should get in touch with their insurance providers. If they receive a ransom demand — and Janesville’s Facebook posts note that the district hasn’t yet — some districts may consider paying it.
School districts are in a better position if they work to prevent attacks, or at least prepare for them, in advance, which many are trying to do. Keckler said the issue came up last Friday at a quarterly meeting of tech directors of large school districts.
"We’ve seen increased attempts even in just the phishing realm. Over the last three years it’s significantly grown from what used to be a couple times a month, to several times a month, to now a couple times a week," said Keckler.
In addition to regularly backing up systems so they can be more easily restored in the event of a hack, districts should be vigilant about purging not only outdated technology, but old information. Levin said that while states have a record retention schedule that tells them how long to keep student information after a student graduates, for example, some don’t remove that information from their systems when they should — which opens more personal information up to potential hackers. His organization has a list of best practices to prevent hacks, as well as ways to implement them.