This is the fifth installment of a five-part series on ransomware in schools.

 

With the influx of digital platforms and resources into schools over the last two decades, the K-12 sector has quickly become one of the most popular targets for hackers.

Even before the COVID-19 pandemic forced a heavy transition to digital learning, the rate of adoption and the increasingly technological nature of classrooms was outpacing the ability of school district budgets to keep up with cybersecurity personnel and procurement needs.

“This is now a 24/7/365 ask, with many districts not having the human or funding capital,” said Todd Wesley, chief technology officer for Lakota Local School District in Ohio.

Ransomware is a particularly popular mode of attack for cybercriminals targeting K-12 schools, as it presents an opportunity for double extortion. 

On the surface, school districts are caught in an impossible situation where essential, largely private data necessary for operations is encrypted and locked by an attacker who issues a ransom demand so districts can have their access restored. And even if schools pay the ransom — which the FBI advises against — there’s no guarantee that access or the data itself will be restored.

And that leads to the other head of the double extortion monster: Student data and identities are among the most valuable on the dark web, due largely to factors like the lack of credit history among minors. So a highly successful ransomware attack can net a payout from both the ransom itself and the sale of the stolen data on the black market.

To pay or not to pay a ransom — that is the question for schools

The FBI and other federal agencies recommend ransomware victims refuse to cater to ransom demands because payments will not guarantee that sensitive data is decrypted, systems will no longer be compromised, or data will not be leaked.

But some education finance and cybersecurity experts say the decision is not always easy. For instance, it may be less expensive and disruptive to pay a ransom to have a compromised system restored than to deal with the potential security and financial fallout of not doing so.

A district's compromised network may mean there are "no classes, nothing in person, nothing online, nothing. So there's very little appetite for that happening," said Doug Levin, co-founder and national director of K12 Security Information eXchange. Known as K12 SIX, the national nonprofit helps protect schools from cybersecurity risks.

Additionally, there's a lot of concern about sensitive data — especially personally identifiable information about children — being leaked, Levin said.

But paying a ransom means "you're directly funding criminals. You're encouraging them to go after other school districts," he said. And "there's certainly a chance that they won't honor their commitments."

Marguerite Roza, director of Georgetown University's Edunomics Lab, an education finance research nonprofit, said that as ransomware attacks have become more prevalent in K-12, discussions about whether to pay have been integrated into Edunomics' Certificate in Education Finance course attended by school district leaders, among others.

The classes discuss hypothetical situations where a victimized school district weighs the expense of school closures and rebuilding compromised systems against the cost of paying the ransom demand.

"If the ransom is $250,000 and your costs are going to be $2 million, you can see pretty quickly why they pay that $250,000," or maybe try to negotiate it down to $75,000, Roza said.

Ransom payment decisions likely depend on a district's financial and digital infrastructure circumstances.

K-12 organizations whose backup systems were compromised during a cyberattack were more than three times as likely to pay a ransom to recover encrypted data than those whose backups weren't breached, according to a survey of 300 international education IT leaders earlier this year by cybersecurity company Sophos.

Sometimes, districts will negotiate the ransom amount with cybercriminals. The Sophos survey found only 13% of K-12 organizations paid the initial amount, while 32% paid less and 55% paid more.

The Sophos research also showed that money for a ransom payment in K-12 comes from a variety of sources, including the organization's own budget, their cyber insurance provider, a governing body, and personal finances of an individual.

If ransomware attacks keep proliferating across school systems, the costs for response, recovery and ransom payments may need to become an annual operating expense, said Roza. She offered an analogy of how cities incorporate responses to certain "nuisance" crimes into their budgets.

"I wonder if someday we're going to get there with this," Roza said. "If we can't shut it down, we have to almost think of it as graffiti. There's a cost every year to address it."

Senior Reporter Kara Arundel contributed this story. Kara earned a Certificate in Education Finance from Georgetown University's McCourt School of Public Policy in February 2024, with a scholarship from Georgetown's Edunomics Lab.

While that’s bad enough news on its own, the hard truth of cybersecurity is that there’s no 100% guaranteed defense against attacks.

“We need more defenses, because the threat actors are becoming more sophisticated every day, and the defenses that we had are no longer sufficient,” said Lisa Irey, director of technology for Des Moines Public Schools in Iowa. In January 2023, DMPS fell victim to a ransomware attack that exposed the data of around 6,700 people.

“The strategy is we try to layer defenses to stop as many vulnerabilities as possible. You're never going to be able to plug every hole and stop every threat from coming in,” said Irey.

So what are beleaguered school districts to do? Here are four prevention and response recommendations.

An illustration of a school that is mostly missing parts that look like data blocks.
Optional Caption
Illustration: Julia Himmel/Industry Dive
 

Implement phishing tests

The weakest link in an organization’s cybersecurity is often the end user. It only takes one person clicking on the wrong link in a suspicious email to open the door for cybercriminals. Thus, it’s essential to train teachers, staff and students on what to look out for and why they must always remain vigilant.

One way many districts do this is through phishing tests, in which fake but realistic looking phishing emails are sent to users on the school system's network.

“I would even prioritize the individuals that you do that to,” said Adam Phyall, director of professional learning and leadership at the Alliance for Excellent Education, or All4Ed, a nonprofit that advocates for equitable educational opportunities for students of color, students from low-income families, and other marginalized groups.

The strategy is we try to layer defenses to stop as many vulnerabilities as possible. You're never going to be able to plug every hole and stop every threat from coming in.

Lisa Irey

Director of technology, Des Moines Public Schools in Iowa

For example, where all staff may receive a phishing test a couple of times a year, high-profile targets would be tested at an even greater frequency. This might include those working in human resources, business, the superintendency and other administrative roles with access to sensitive data.

“I would do my internal phishing more on them than others, because they hold more keys to the castle than other people,” said Phyall, also a former director of technology and media services for Newton County School System in Georgia.

For added protection, Irey also recommends that staff with access to privileged databases retrieve that information from separate accounts specifically set up for accessing that data —  rather than retrieving all information from their standard employee account.

“Say an IT administrator has their regular employee account. There should be a separate set of credentials that they use to do their domain administration work or their service administration work,” Irey said. A domain account is used across multiple systems in a network, whereas a service account is created specific to a single system within that domain.

Both Phyall and Irey advise requiring all staff to use multifactor authentication at the very least.

“Personally, it's annoying at times to have to go to that authenticator app to confirm it, but it is that extra step in security,” Phyall said. “This is like putting that deadbolt on your door of your house. You’ve got it locked, but this is adding that deadbolt to it, giving you that extra layer of security in your network.”

Los Angeles Unified School District Superintendent Alberto Carvalho and staff are shown during a news conference through the display screen on a video camera.
Los Angeles Unified School District Superintendent Alberto Carvalho updates the media on Sept. 6, 2022, about a ransomware attack that occurred during Labor Day weekend of that year. Despite safeguards like phishing awareness, districts like LAUSD can still be susceptible to cyberattacks.
Damian Dovarganes/AP
 

Establish a backup network

One of the most prominent safeguards against ransomware is the use of backup networks, in which critical data and information is copied from all devices and storage spaces on a network to a backup server. That backup server in many cases may be located in the cloud rather than being a physical, on-premises server.

There are, however, risks to remain aware of with this approach.

For instance, Phyall said, districts need to vet the third party managing the backup server and also ensure that the backup is clean and doesn’t contain dormant ransomware or other malware waiting to be activated.

A third-party system conducting a backup can catch ransomware in a system — which is in some cases how districts have actually found out that ransomware has been embedded, Phyall said.

This is a headshot of Adam Phyall, director of technology and media services at Newton County School System in Georgia.
Adam Phyall is the director of professional learning and leadership at the Alliance for Excellent Education.
Permission granted by Adam Phyall
 

While backup networks have become a core component of protecting against ransomware in the business world, it’s often still not cost-effective for school districts to do the same.

For instance, a fully managed disaster recovery solution may have a base cost of $500 plus $2-3 per gigabyte per month, according to Optimal Networks, an IT services provider that works with law firms, associations and consultancies. If a district has terabytes — thousands of gigabytes — of data to back up, those costs can quickly balloon exponentially.

“We are tasked with trying to prepare our students for the future, but also protecting them and their information. And it's a fine line to try to balance” the financial limitations and the need to protect that data, said Irey.

Explore state and federal supports

Fortunately for K-12 tech professionals, a variety of supports exist at the state and federal levels.

“First and foremost, talk to your state education department,” said Phyall, adding that most states have some level of cybersecurity support in place for school districts.

Among state resources that Phyall named are specialized cybersecurity advisors, no-cost or low-cost cybersecurity audits, and additional network monitoring capabilities.

The Federal Communications Commission’s E-rate program, which helps schools and libraries access affordable telecommunications services, hasn’t typically covered cybersecurity tools and services. The agency opened the application window for its $200 million Schools and Libraries Cybersecurity Pilot Program on Sept. 17, and it will close end-of-day Nov. 1.

“That's definitely a step in the right direction,” said Irey. “I do hope that a lot of my peers will join me in applying for those funds so that we can show that this is a great need.”

Another resource, Wesley said, is the Cybersecurity and Infrastructure Security Agency’s State and Local Cybersecurity Grant Program, which offers funds to state and local government agencies. The program offered $279.9 million in grant funding in fiscal 2024.

Ensure that you have a plan in place for when it happens, not if it happens.

Adam Phyall

Director of professional learning and leadership at All4Ed

“This may allow state education departments to centralize services and support for K-12 schools at a cheaper cost and learn what is working and not working between states and districts more quickly,” Wesley said.

Phyall also recommends building relationships with local and federal FBI and CISA contacts.

“Ensure that you have a plan in place for when it happens, not if it happens,” said Phyall. “I think about it the same as in your own home, where you have the list on the refrigerator with your poison control" and other emergency numbers. "Have that list ready and available, so people know who to call when it happens.”

Two school district staff members are shown seated at a desk during a meeting about a January 2023 ransomware attack on Des Moines Public Schools in Iowa.
Lisa Irey (left), director of technology for Des Moines Public Schools in Iowa, discusses a ransomware attack on the district with other administrators in January 2023.
Retrieved from Des Moines Public Schools/X.
 

Remember to think about people first

Should the unthinkable happen and your district fall victim to a ransomware attack, it’s critical not to forget the impact on the information technology pros laboring to get things up and running again, said Irey.

For those who experienced the January 2023 ransomware attack against Des Moines Public Schools — "the people on my team — it was a grief event,” said Irey. “It was like losing a loved member of our family, if you think about all the time and energy that the people on my team took to build and care for a network that supports the work of 30,000 students, 5,000 staff.”

School districts rely heavily on these systems not just for business and academic operations, but to be able to remotely lock down schools in an emergency or to inform staff of students’ allergies, dietary restrictions and emergency contacts. A ransomware attack can significantly upend a school community for at least several days.

Among the things that stung the most for Irey’s team was knowing that the resulting two days of school closures interrupted access to essential services like meals for the 75% of students in the district who qualify for free and reduced-price lunch.

“Their safest place where they're going to have a lot of their basic needs met is at school,” said Irey. “So for our ransomware attack, for us to have to cancel school because we couldn't have the systems running that were going to keep us safe and keep us healthy, it actually was disadvantaging our students" who were already a vulnerable population.

Even after schools reopened, Irey said, it took the IT team several months to rebuild all of those vital systems. During that time, district leaders prioritized thinking about the people behind that work.

“The No.1 question I get is, ‘How many team members did you lose?’ Not a one, because we invested in our people and in our culture to where we had people dedicated to say, ‘You know what? This happened, we're gonna dig in and roll up our sleeves, and we're gonna work together to fix it,’” said Irey. “The culture of our school district was such that the finger didn't get pointed at us.”

In fact, students and teachers made the IT team thank you cards and sent them treats and care packages. "They knew what we were going through, and they were encouraging us,” said Irey. “We got a lot of grace to go through that.”

News Graphics Developer Julia Himmel contributed data and graphics support to this story.