Are Public Schools Worth Ransoming?

Ransomware attacks against public school systems seems to be on the rise, especially over the past few years. This could be due to more online activity as a result of the COVID-19 crisis, or simply because there is an evolution of ransomware happening. Do public schools really have millions of dollars to spend on ransomware? And if not, then what is the motivation? And is the private information of children financially worth it?

Increasing Ransomware Attack Rate

EMSISoft^[8] reports that over 80 cyberattacks were directed towards education sector organizations in 2021 and sensitive information relating to teachers and students were released online in 50% of the attacks. According to CampusSafety Magazine^[5] and TechTarget^[2], ransomware attacks against public school systems increased in the latter half of 2022. K12 Security Information Exchange (K12 Six) recently released their annual report “The State of K-12 Cybersecurity: Year in Review – 2022 Annual Report” showing yet another annual increase in cyber incidents against school systems (both public and private)^[21]. In the report, it shows that the number of ransomware cyber incidents increased 33% between 2020 and 2021. The report also highlights the weakness of public-disclosure requirements for school districts and the indication that actual incidents might be 10-20 times greater.

Looking at recent news, the Los Angeles Unified School District breach in October 2022 was attributed to the Vice Society reportedly using a Ransomware-as-a-Service technology of HelloKitty/FiveHands and Zeppelin ransomware^[14]. Both ransomware suites rely on exploiting weaknesses in infrastructure, end point security or human error through phishing campaigns. While the first two can be remedied through monitoring and a robust patching process, training humans is extremely important. While ransomware typically encrypts the data and holds it hostage, the new trend has been for double-extortion: ransom your data while also exfiltrating that data to then threaten to leak online. When the LAUSD didn’t pay the ransom, 500GB of data stolen was leaked online. As of this writing, the scope of the data is unclear, but preliminary results indicate that perhaps W-9s and SSNs as well as disciplinary information on students may be in the mix^[16].

Small IT departments lead to Inefficient Cybersecurity

K-12 schools are considered one of the most attractive targets for data privacy crimes often due to the less-than effective cybersecurity practices in schools.

PLANNING FOR CYBER SECURITY IN SCHOOLS:
THE HUMAN FACTOR[6]

Public school systems have a lot on their plates, not all related to education. Providing meals to students, before and after daycare, running active shooter response drills just to name a few. Cybersecurity enforcement adds to that and stretches already small IT/IS/Security departments. An effective cybersecurity program involves training of the workforce adding another demand to the teacher and staff workload as well as a financial investment by the school itself to develop and support said training.

With an average budget of $694 billion (census, reported in 2019)^[17], it’s not lack of funding that is keeping cybersecurity down. It’s prioritization over instruction costs^[18].

The National Center for Education Statistics^[7] Safeguarding Your Technology eBook has a whole chapter dedicated to helping you justify and develop a cybersecurity training program for your school. Start small but start! There are free resources available to help you assess the risk of your institution. The risk assessment provides the scope of what could be done. Then work with your administration to start prioritizing the areas and start making baby-steps towards securing those areas. Consider building a first-step training program from free resources online such as cybersecurity training videos online (just review them for validity beforehand)^[19][20].

Value of Personal Data

Monitoring one’s identity typically doesn’t happen until they begin to make adult decisions such as opening a checking or savings account, taking loans for school, applying for a job or buying a new car, says Experian^[3] Once personal information has been obtained, it can sell on the black market.

A Social Security number may sell for as little as $1. Credit card, debit card and banking info can go for as much as $110. Usernames and passwords for non-financial institution logins are $1, but it can range from $20 to $200 for login info for online payment platforms.

OnPoint Credit Union^[9]

After a social security number has been purchased, the criminal is able to start creating a credit profile for the victim – opening up banking accounts then proceeding to get credit cards. A SSN can quickly turn into receiving public services (food stamps, health care, unemployment) as well as starting down the path towards credit card debt. Applying for secured credit cards when you have little or no credit history is a great way to start building your credit – for both legal and illegal uses.

Financial Cost

The average identity theft victim is taken for about $1,000^{[10][11][12][13]}. This does not include the cost of time to find and fix the identify theft, clean up credit history and purchase identity monitoring software. Nor does this include the cost of stress from being a victim of identity theft.

If the average ransomware attack stole even 1,000 identities (low volume compared to the Yahoo! 2016 data breach but not out of reach for a school) at the ability to obtain $1,000 in credit for each, thieves are looking at a revenue of $1,000,000. For criminals that utilize a RaaS, profit is usually shared, bringing that number down for Vice Society.

The cost of a RaaS kit is from $40/month to a several thousand dollars as reported by Crowdstrike^[22]. Overall, making ransoming for identity theft a very lucrative pursuit. Even with 20-30% of the profits going to the ransomware developer, still profitable. Given the de-prioritization that cybersecurity takes in the education system, schools are easy and lucrative – either with the ransom being paid or through longer-term identity fraud activities or simply selling the data on the dark web.

Protecting your Child’s Identity

References

1. https://www.cisa.gov/stopransomware/cyber-threats-k-12-remote-learning-education
2. https://www.techtarget.com/searchsecurity/news/252525756/Schools-municipal-governments-ravaged-by-ransomware-attacks
3. https://www.experian.com/blogs/partner-solutions/2022/11/why-should-consumers-use-child-identity-monitoring/
4. https://consumer.ftc.gov/articles/how-protect-your-child-identity-theft
5. https://www.campussafetymagazine.com/safety/hackers-leakd-lausd-data-ransomware/
6. https://files.eric.ed.gov/fulltext/EJ1252710.pdf
7. https://nces.ed.gov/pubs98/safetech/index.asp
8. https://www.emsisoft.com/en/blog/40813/the-state-of-ransomware-in-the-us-report-and-statistics-2021/
9. https://www.onpointcu.com/blog/understanding-the-illegal-market-for-personal-information/#:~:text=Most%20valuable%20types%20of%20personal%20information&text=A%20Social%20Security%20number%20may,info%20for%20online%20payment%20platforms.
10. https://www.aarp.org/money/scams-fraud/info-2022/javelin-report.html
11. https://www.experian.com/blogs/partner-solutions/2016/09/real-cost-identity-theft/
12. https://www.idx.us/knowledge-center/the-real-cost-of-identity-theft-to-employees-businesses
13. https://www.definefinancial.com/blog/identity-theft-credit-card-fraud-statistics/#:~:text=What%20is%20the%20Average%20Cost,to%20identity%20thieves%20in%202020
14. https://www.campussafetymagazine.com/safety/feds-ransomware-attacks-k-12-schools/
15. https://blog.rsisecurity.com/are-private-schools-at-a-higher-risk-for-cyber-security-attacks/
16. https://www.latimes.com/california/story/2022-10-02/hackers-release-data-ahead-of-deadline-in-response-to-lausd-refusal-to-pay-ransom
17. https://www.census.gov/library/stories/2019/05/largest-annual-increase-public-school-spending-since-2008.html
18. https://blog.rsisecurity.com/are-private-schools-at-a-higher-risk-for-cyber-security-attacks/
19. https://www.youtube.com/watch?v=6EmD3k3Pb8Y
20. https://www.youtube.com/watch?v=zflsg6TRuos
21. https://www.k12six.org/the-report
22. https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/#:~:text=The%20price%20of%20RaaS%20kits,in%20order%20to%20become%20rich.