How to battle the new form of ransomware targeting schools

Commentary: No need to panic. Just be prepared for cyberthreats.

The education sector is learning the lessons of weak data security the hard way: Cyber-thieves have attacked more than three dozen school districts this year, exploiting poorly defended systems to steal valuable information or take over their networks and hold them for ransom.

It’s a familiar problem. The education field is seeing above-average rates of phishing attacks, malicious malware and spam email compared to other sectors in the economy, according to Symantec’s 2017 Internet Security Threat Report — Government. No surprise, then, to learn that information security led the EDUCAUSE 2018 Top 10 IT Issues list for the third year in a row.

But as malicious hackers continue to target school districts, the U.S. Department of Education is now warning of an even more insidious form of cyber-extortion.

Blackmail secures ransom payments


Schools have previously been targeted by ransomware attacks, where malicious hackers encrypt an organization’s data and hold it hostage until they get paid. In this latest scheme, attackers flat out steal data and then try to sell it back to their victims. Unless the ransom gets paid, the attackers threaten to sell the purloined names, addresses, phone numbers and other sensitive student data.

As a way of applying added pressure on the schools, attackers also send email or text messages to parents and students raising the prospect of violence at their school. In one case, over 20 parents received these kinds of threatening messages.

One district was recently forced to shut down 30 schools for three days as a preventive measure. So far, law enforcement has not deemed any of these threats of violence to be credible. But the psychological damage is real, with falling attendance at the targeted schools. Meanwhile, news of these attacks has resulted in copycat incidents leading to bogus threats to disrupt other schools.

The criminal gang behind these attacks calls itself the Dark Overlord. The group has been described as foreign, but at least one member of the group has an excellent command of English. Most likely, the group is comprised of multiple members; at least one hails from an English-speaking country. These attackers have previously targeted health care organizations, movie studios and manufacturers.

Battling the attack


What can you do to blunt the threat posed by the Dark Overlord? First, don’t pay the ransom. There is absolutely no guarantee that the fraudsters will release data you pay to set free. You can’t trust criminals.

Secondly, keep these attackers out of your school from the start. And that means stepping up the work of securing your network and the data that resides on it. The Department of Education just issued some pretty good advice. It suggests:

  • Conducting security audits to identify weaknesses and update/patch vulnerable systems.
  • Ensuring proper audit logs are created and reviewed routinely for suspicious activity.
  • Training staff and students on data security best practices and phishing/social engineering awareness.
  • Reviewing all sensitive data to verify that outside access is appropriately limited.

Also, the FBI has spotlighted the practice where some attackers use anonymous FTP servers — most likely set up earlier and then forgotten by IT organizations — to gain access to an organization’s network. Unless there is a legitimate need to keep those servers in your organization, disable them now.

You don’t need to be afraid of cyberattackers. They may be evil, but they are not evil geniuses. They simply take advantage of mistakes we make. But we can fix the errors. It just takes diligence to follow best practices, put good security practices and products in place, and to be prepared.


Kevin Haley is the director of product management for security technology and response at Symantec.

Latest Podcasts