Ransomware attacks against schools are surging, researchers find

Nearly 50 school districts and educational institutions have been the victims of ransomware attacks in 2019, according to cloud security firm Armor.
ransomware skull
(Getty Images)

Ten more victims of ransomware have been detected in educational institutions over the last nine days, researchers at the cloud security firm Armor announced Monday.

The ten latest victims join an increasing number of schools targeted by ransomware attacks in 2019, including a community college that was hit with a $1.6 million demand from hackers that had been lurking on its network for months before going active.

In total, 49 educational institutions or public school districts have been infected so far in 2019, Armor found.

The academic sector is the second-most common target of publicly disclosed ransomware attacks, trailing only the estimated 70 municipalities that have been struck by payday-seeking hackers. But counting just school districts can belie the extent of the ransomware attacks’ reach — Armor estimates that the districts that have been hit comprise nearly 500 individual grade schools.


Like small local governments, schools are “targets of opportunity” that are often “behind the curve in terms of security and countermeasures,” said Chris Hinkley, the head of Armor’s Threat Resistance Unit. But schools are particularly vulnerable because a successful ransomware attack has the potential to disrupt lesson plans or even delay the start of the academic year.

The Flagstaff Unified School District in Arizona had to push back the first day of its new school year earlier this month after administrators of the 11,000-student system discovered a ransomware infection. A school district in Orange County, New York, also lost a day due to a cyberattack.

The type of ransomware used has only been identified in a handful of attacks against schools, though Ryuk — one of the more common variants — has been the culprit in at least five incidents this year, Armor found. It is also possible that some of the attacks against schools could have come by route of a third-party service provider, as has been the case in some attacks against municipalities. Hinkley said.

“It’s a possibility where an organization that is providing services to schools might be attacked and it goes to the schools,” he told EdScoop.

Of the 10 new ransomware victims Armor identified in the past week, nine are school districts, spread across Florida, Pennsylvania, Illinois, Nebraska, Ohio and Missouri. In at least one — in Lansdale, Pennsylvania — an early-September attack prompted officials to order students to return their school-issued computers. While any organization is prone to human errors like opening a malicious email attachment or hyperlink, Hinkley said schools are especially vulnerable.


“Humans are always going to be your weakest links,” he said. “You have employees but you also have thousands of children as well. As you would in an organization having employee training, maybe you could have that in schools for students.”

The 10th member of Armor’s batch of recent victims, Crowder College, a two-year school in southwestern Missouri, is still dealing with the effects of what appears to have been a long-gestating attack. While the ransomware at fault encrypted the college’s systems on July 11 — demanding $1.6 million — investigators found evidence it had originally accessed its network in November 2018.

Hinkley said that nine-month gap could have been the result of a hacker activating a dormant Trojan horse virus or exploiting a known vulnerability in software like Microsoft’s Remote Desktop Protocol, which is often targeted by hackers.

“We’re seeing a lot of the same-old tried and true techniques being used to attack schools,” Hinkley said.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed is the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He has written extensively about ransomware, election security, and the federal government's role in assisting states, localities and higher education institutions with information security.

Latest Podcasts