Ransomware surges in education sector in Q3 as attackers wait patiently for start of school year

Ransomware surges in education sector in Q3 as attackers wait patiently for start of school year

The number of successful ransomware attacks on the education sector increased by 388 percent between the second and third quarters of 2020. It was a similar story in 2019. This is almost certainly not a coincidence.

In this report, we will examine the reasons for this trend and how there may be a window of opportunity for school districts to detect and remove ransomware before encryption can take place.

Rate of attacks on education sector surges in Q3

The education sector is a popular ransomware target – and it’s easy to see why. School districts are often vulnerable to compromise due to the use of outdated IT equipment and a lack of security resources, while the interconnected nature of campuses makes for a large attack surface and increases the risk of malware propagation. Impacted schools often face immense pressure to pay ransoms in order to minimize disruption to learning and prevent the publication of large amounts of stolen personal data.

The number of successful ransomware attacks on the education sector fluctuates significantly from quarter to quarter. In Q2 2020, eight universities, colleges and school districts were impacted by ransomware. In Q3, there were 31 incidents – an increase of 388 percent. Nine of the 31 incidents involved data exfiltration.

Such a radical surge in incidents could be perceived as a rogue wave; an anomalous event for which nobody could have prepared. But if we look at last year’s figures, we can see that the increased rate of attacks was in fact entirely predictable and, therefore, preventable. In 2019, the number of ransomware attacks on the education sector increased from five in Q2 to 51 in Q3 – an increase of 1020 percent.

Post-compromise attacks likely responsible for the spike

Ransomware groups are increasingly moved toward post-compromise attacks in which, instead of immediately encrypting the data on a compromised system, threat actors take the time to prepare the target environment, harvest credentials, exfiltrate data, destroy backups and disable security processes before finally deploying the data-encrypting ransomware. Attackers are present on compromised networks for an average of 56 days before deploying ransomware.

Therefore, the seasonal ransomware spike in the education sector probably isn’t due to a sharp increase in ransomware activity, nor is it a case of school networks magically becoming more susceptible to ransomware in Q3. Instead, it’s likely a matter of threat actors – who may have had access to the network for weeks prior – waiting for the right moment to deploy ransomware in order to maximize the impact of an attack.

In the education sector, the “right moment” is the start of the school year. Waiting for students to return to school in Q3 before deploying ransomware enables threat actors to inflict maximum chaos and apply greater pressure to districts, which may be more inclined to pay the ransom to quickly restore system access and minimize disruption. This strategy may have been particularly effective this year, with so many districts relying heavily on computer systems to facilitate distance learning in the wake of the pandemic.

In contrast, if attackers were to deploy ransomware in Q2, school districts would have sufficient time over the summer break to recover their data and, therefore, may be less likely to pay the ransom.

The need for better information sharing

If our theory is correct and attackers are indeed delaying deployment, victims have a window of opportunity to detect and remediate threats in the early stages of an attack before encryption occurs.

To stop ransomware early in the attack chain, school districts need to be able to identify the clues associated with malicious activity, otherwise known as the indicators of compromise (IOCs). And being able to identify IOCs relies on the details of previous attacks being collected and shared with districts.

As it stands, public entities are not legally required to report or disclose ransomware incidents, and due to fear of embarrassment, stigmatization and perhaps litigation, few come forth willingly. Consequently, there is little data available regarding attack vectors, ransomware strains involved, ransom amounts and the financial impact of incidents – critical information that could directly help organizations get a better understanding of the threat landscape and address potential security flaws.

Efforts must be made to close this intelligence gap. Without better reporting and information sharing, school districts are ultimately doomed to repeat the same mistakes of previous victims, leading to continued disruption in the education sector and further profits for ransomware groups.

Further reading

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next