Threat actors increasingly targeted K-12 districts in 2022, resulting in triple-digit spikes in malware, ransomware, encrypted threats and IoT attacks.
While K-12 schools had already been increasing their dependence on technology, the COVID-19 pandemic accelerated this growth tremendously. Due to funding constraints, however, schools’ adoption of new hardware and software has often outpaced their districts’ ability to secure this new infrastructure, resulting in an attack surface that has continued to grow — both in size and in appeal to attackers.
According to the GAO, roughly 1,847,000 students have been impacted by ransomware attacks in the United States alone since the beginning of 2020. Since the latest data currently available only goes through the end of 2021, this number, in reality, is much higher — but even these smaller figures, combined with data released by the U.S. Census Bureau, work out to 1 in 26 K-12 students in the U.S. affected in just a two-year period.
But the issue of cyberattacks targeting schools isn’t limited to the U.S. According to a recent audit by the National Cyber Security Centre (NCSC) and the National Grid for Learning, nearly 80% of schools in the United Kingdom have experienced at least one cyberattack. And in late 2022, Ontario, Canada, was shaken by the news of two widespread cyberattacks on educators within a two-week period.
Schools See Triple-Digit Growth Across Most Attack Types
This barrage of attacks on primary and secondary schools can also be seen in SonicWall’s exclusive threat data. In the recently released 2023 SonicWall Cyber Threat Report, we reported massive year-over-year volume increases in attacks on K-12 districts as threat actors continued to shift away from government, healthcare and other industries to zero in on education targets.
In 2022, SonicWall observed a 275% increase in ransomware attacks on education customers overall, including a 827% spike in attacks on K-12 schools. This growth echoed trends observed in the overall malware attack volume: Out of a 157% increase in attacks on education customers overall, the subset of K-12 customers experienced a 323% increase in overall malware attacks.
Huge increases in attacks targeting education were also seen elsewhere in SonicWall’s data. Encrypted attacks spiked 411% over 2021’s totals, and the number of IoT malware attacks rose 146%. And while cryptojacking attempts on education customers increased more slowly in comparison, 2022 marked the second-straight year of significant growth. Taken together with a sustained increase in overall cryptojacking, this suggests we’re likely to see attacks continue to rise as 2023 goes on.
Attacks on Schools: What’s at Stake
The GAO study also revealed the average impact of a successful cyberattack: Lost learning time ranging from roughly three days to three weeks, with actual recovery lasting from two to nine months. This was in addition to any financial losses from things like third-party remediation, replacing equipment and more.
Unfortunately, these attacks aren’t just costly to the schools. After the Los Angeles Unified School District refused to pay a ransom demand, attackers published 500 GB of stolen data consisting of Social Security numbers, student health info, assessment results and W-9 forms to the dark web.
As more schools refuse to pay ransom demands, threat actors are increasingly turning to this method of double extortion to ensure their efforts bear fruit. Because students generally have unblemished credit records, and because their credit typically isn’t being monitored due to their age, cybercriminals can use the personally identifiable information collected in these attacks to open credit cards and commit other financial fraud — with students and their parents oftentimes being none the wiser.
School districts can offer credit monitoring and identity protection services to students whose sensitive information has been stolen. But this is cold comfort to students whose mental health records, bullying reports, disciplinary records and more are now publicly available. In one particularly egregious case, the Medusa ransomware gang released the details of a student’s sexual assault report, reportedly as a means of getting the individual’s parents to pressure the Minneapolis Public School System to pay the $1 million ransom demand.
A New Strategy to Help Schools?
In early March, the U.S. National Cybersecurity Strategy was released, outlining a plan to shift greater responsibility for cybersecurity onto the country’s tech companies. With third-party vendors providing a means of entry in 55% of K-12 data breaches, the report’s goals could provide some much-needed relief to the education industry.
Even so, attacks on schools are likely to continue for the foreseeable future. The goals outlined in the strategy will require a paradigm shift in how the country views cybersecurity, so its benefits are unlikely to be realized in the short term. In the meantime, threat actors specializing in attacks on K-12 schools, such as the Vice Society ransomware group, have already proven as active as ever in 2023.