Why Education is the New Cybercrime Epicenter

As large enterprises continue to strengthen their security posture, we’ve seen a sustained shift toward attacks on so-called “soft targets.” These organizations are essential to the functioning of our society, but they also tend to be comparatively less secure and resilient due to inadequate staffing and resources. Unfortunately, this has made them highly attractive targets for cybercriminals.

While state and local governments once bore the brunt of these attacks, the huge increase in technology used by K-12 schools and universities during the pandemic has brought a corresponding rise in attacks on education customers.

SonicWall Data Shows an Industry Under Attack

And this trend shows up in our data time and again. In our Mid-Year Update to the 2023 SonicWall Cyber Threat Report, SonicWall identified 2% decrease in malware overall—but a 179% increase in malware targeting education customers.

While this stat included a 42% decrease in malware attacks on higher education and an 80% decrease in attacks on other education customers, such as driving schools and exam and test prep, those gains were more than offset by a 466% increase in malware targeting K-12 schools.

Encrypted attacks on education also increased significantly, up 2,580% compared with this time in 2022. And while schools have scarcely been on the radar of cryptojackers in the past, the first six months of 2023 brought a staggering 320 times as many cryptojacking hits as in the first half of 2022.

This is a bigger danger to education customers than it may initially appear. Cryptojacking can decrease the speed of your network by nearly 70%, making it significantly harder for instructors to teach and for students to research, take exams and collaborate. The demands of illicit mining have also been known to tax devices to the point of overheating and even catching fire.

But even in cases where cryptojacking causes no immediately discernible catastrophic effect, that doesn’t mean it’s harmless. If an attacker has accessed your network, they could be exfiltrating customer data, stealing intellectual property or doing any number of other things that you aren’t seeing.

A Wider Trend

This uptick isn’t exclusive to SonicWall customers, however. According to CISA, the number of attacks on K-12 schools more than quadrupled between 2018 and 2021, from about 400 in 2018 to more than 1,300 in 2021. The Center for Internet Security found that by the end of 2021, nearly 1 in 3 U.S. school districts had been breached — while this is the most recent data currently available, this total is certainly much higher by now.

A report from the U.S. Government Accountability Office highlights the effects of such attacks. Its research found that cyberattacks on K-12 institutions resulted in a loss of learning ranging from 3 days to 3 weeks, with recovery time stretching from 2 to 9 months.

And while the U.S. may see the most cyberattacks on schools, these sorts of attacks are rising everywhere. A recent National Cyber Security Centre report found that nearly 80% of UK schools have experienced at least one type of cyber incident.

Schools generally don’t pay ransom demands, so why are so many researchers showing an uptick in these attacks compared with other “soft targets”? A lot of it has to do with data. While easily accessible staff and administrator PII data is attractive, it’s only part of the picture.

Many adults monitor their credit and quickly notice if a new account or large transaction under their name has appeared. But few check the credit of their children, allowing criminals and other bad actors to act with impunity years or even decades before a person will have occasion to have their credit checked.

A particularly egregious example followed the 2020 attack on Toledo Public Schools: Parents there reported that they had begun receiving mail indicating someone was trying to open car loans and credit card in students’ names.

Who’s Behind These Attacks?

The most well-known group attacking education right now is Vice Society. In September 2022, the group attacked the Los Angeles Unified School district, the second-biggest public school system in the U.S. When the district refused to pay the ransom demand, the group posted 500 GB of data on its dark web leak site.

That same month, CISA issued a Joint Cybersecurity Advisory on the group, warning that it was “disproportionately targeting the education sector with ransomware attacks.” As reported by CBS News, over 40 educational organizations, including 15 in the U.S., were victims of ransomware attacks at the hands of Vice Society in 2022.

While the group appears to be diversifying somewhat in 2023, they’re still actively targeting education, with attacks on Okanagen College in British Columbia, Canada; Lewis and Clark College in Portland, Oregon; Tanbridge House School in West Sussex, U.K.; Guildford County School in London; and countless others.

But while Vice Society may be the most prominent group targeting schools, they’re far from alone. In February, the ALPHV/BlackCat ransomware group released more than 6 GB of data from Ireland’s Munster Technological University, including payroll information and employee records. They were also responsible for 2022 attacks on North Carolina A&T University and Plainedge Public Schools in the U.S.

That same month, the Medusa ransomware group attacked Minneapolis Public School District. The district refused to pay a $1 million ransom, and was able to use backups to successfully restore its systems. But the group had stolen more than 100 GB of data — including intelligence test results, psychological reports and details of sexual abuse allegations — all of which was later leaked to the public.

And in January, the Royal Ransomware Group — perhaps best known for their attack on the city of Dallas, Texas—attacked the Tucson Unified School District, the second-largest district in Arizona, U.S., impacting nearly 30 thousand individuals.

Other high profile attacks in 2023 have included Western Michigan University, Des Moines Public Schools, and Bluefield University in Virginia. In the latter case, the Avoslocker ransomware group used the school’s mass alert system to send a message to the entire campus encouraging students to pressure the university to pay the ransom, lest 1.2 TB of their personal data be leaked.

A Brighter Future?

But despite the increase in attacks, there’s cause to be optimistic. In addition to efforts at the state level, such as those in Texas and Minnesota, there has been a lot of progress at the federal level as well.

In October 2021, U.S. President Biden signed the K-12 Cybersecurity Act, which “requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include voluntary guidelines designed to assist schools in facing those risks.”

In August 2023, CISA released a trove of guidance, including “K-12 Digital Infrastructure Brief: Defensible and Resilient,”  “Adequate and Futureproof,” and “Privacy-Enhancing, Interoperable and Useful.”

In July 2023, Federal Communications Commission Chair Jessica Rosenworcel proposed a pilot program that would provide up to $200 million in competitive grants aimed at increasing security against cyberthreats among schools and libraries.

And just this month, the U.S. Biden Administration announced the launch of an initiative aimed at strengthening K-12 cybersecurity.  This “government coordinating council” will help ensure that schools are able to respond to and recover from cyberattacks and other cyber incidents.

“Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms,” Education Secretary Miguel Cardona said in a release. “The Department of Education has listened to the field about the importance of K-12 cybersecurity, and today we are coming together to recognize this and indicate our next steps.”

Download our Mid-Year Update to the 2023 SonicWall Cyber Threat Report for the rest of our education data, as well as a look at how cybercrime affected government, finance, retail, and healthcare customers.

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry?

On May 12, 2017, attackers identified a vulnerability in a Windows device somewhere in Europe — and in the process, set off an attack that would ultimately impact roughly 200,000 victims and over 300,000 endpoints across 150 countries. The devastation wrought by WannaCry caused financial losses of roughly $4 billion before the strain was halted by an unlikely hero just hours later. But perhaps most devastating of all was that it was completely preventable.

To help raise awareness about ransomware strains like WannaCry and the steps needed to combat them, INTERPOL in 2020 teamed up with cybersecurity firm Kaspersky to declare May 12 Anti-Ransomware Day. By taking a few important steps, organizations can help stop the next major ransomware attack, averting the potential for downtime, reputational damage, fines and more.

“Cybercrime and cybersecurity may seem like a complex issue that is difficult to understand unless you are an expert in the field — this is not the case. INTERPOL’s campaign aims to demystify these cyberthreats and offer simple, concrete steps which everybody can take to protect themselves,” INTERPOL’s Director of Cybercrime Craig Jones said.

What’s Changed Since WannaCry?

In the years since the infamous attack, ransomware has continued to grow. In 2021, SonicWall Capture Labs threat researchers recorded 623.3 million ransomware attempts on customers globally. This represents an increase of 105% from 2020’s total and a staggering 232% since 2019.

And while ransomware was a hot topic worldwide due to attacks such as WannaCry and NotPetya, which would begin its own savage trek across the globe just six weeks later, ransomware volume in 2017 was less than a third of what it was in 2021.

Weakened, but Still Wreaking Havoc

While variants such as Ryuk, SamSam and Cerber made up 62% of the ransomware attacks recorded by SonicWall in 2021, WannaCry lives on — and in surprising numbers. By now, five years on, the number of vulnerable Windows systems should be virtually zero. A patch for the EternalBlue vulnerability exploited by WannaCry was released two months prior to the attack, and Microsoft later took the unusual step of also releasing patches for Windows systems that were old and no longer supported.

But in 2020, SonicWall observed 233,000 instances of WannaCry, and in 2021, 100,000 hits were observed — indicating that there are still vulnerable Windows systems in the wild that need to be patched.

We Can Worry … Or Get to Work

What made WannaCry so successful was that many organizations at the time took a set-it-and-forget-it approach to IT, leaving vulnerable hundreds of thousands of endpoints that could otherwise have been patched prior to the attack. But while patching is a crucial part of any cybersecurity strategy, it can’t work alone — there are still a number of other steps organizations need to take to bolster their odds against the next big ransomware attack.

  • Update: Whenever possible, enable automatic updates on applications and devices on your network — both for operating systems and for any other apps in your ecosystem.
  • Upgrade: The older an operating system gets, the more malware and other threats are created to target them. Retire any software or hardware that is obsolete or no longer supported by the vendor.
  • Duplicate: All important data should be backed up to a place inaccessible by attackers. Having adequate and up-to-date backups on hand significantly eases recovery in the event of a ransomware attack.
  • Educate: A staggering 91% of all cyberattacks start with someone opening a phishing email. Teach employees to be wary any time they receive an email, particularly one with an attachment or link.
  • Safeguard: By taking the above steps, most attacks can be prevented, but not all. They’re called “best practices” and not “universal practices” for a reason: If any are allowed to lapse — or new methods are found to circumvent them — organizations will need a strong last line of defense. An advanced, multi-layer platform that includes endpoint security, next-gen firewall services, email security and secure mobile access can work to eliminate blind spots and eradicate both known and unknown threats.

“In the past two years, we have seen how cybercriminals have become bolder in using ransomware. Organizations targeted by such attacks are not limited to corporations and governmental organizations — ransomware operators are ready to hit essentially any business regardless of size,” Jones said. “To fight them, we need to educate ourselves on how they work and fight them as one. Anti-Ransomware Day is a good opportunity to highlight this need and remind the public of how important it is to adopt effective security practices.”

Ransomware-as-a-Service RaaS is the New Normal

Business models always have to tackle the method of distribution, will they sell directly or through a channel of distributors or a mix of both. The same is with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution all the while collecting a cut of the prize.

Throughout the past year, and even until the large-scale WannaCry attacks, floating between the peaks of the infamous events are small focused attacks en masse from rebranded exploit kits. In the past quarter, we have discovered a mix of developer hobby/chaos-malware, rebranded ransomware, and repackaged RaaS ransomware.

  • Trumplocker
  • AlmaLocker
  • Jigsaw
  • Lambda
  • Derialock
  • Shade
  • Popcorn

Recently, one author showed how easy it is to launch a ransomware attack within an hour… with zero hacking skills. So what does this mean to an organization like yours? Should this scare you? Simply put, attacks from more sources equals more attacks but SonicWall has your back.

First off, organizations can have the front-line protection of our award-winning multi-engine network sandbox, SonicWall Capture Advanced Threat Protection (ATP) Service. Capture ATP automatically takes suspicious code at the gateway of your network, and runs it in three parallel engines (and counting) to see what it wants to do from the application, to the OS, to the software that resides on the hardware. We find the newest ransomware families and updates this way.

Secondly, our Capture Labs research team catches many new variants of ransomware and malware in multiple ways as well as from a multitude of external sources. Once new ransomware families are found (either from Capture ATP, a honeypot, or another Capture Labs source), the intelligence is cross-pollinated to the rest of the SonicWall portfolio of security products.

Lastly, organizations can expect to be hit by a wide range of ransomware attacks and should ensure they have a good backup policy and focus on awareness training.

To learn more, watch this video to see how SonicWall stops ransomware: