The hackers struck over Labor Day weekend, penetrating the computer network of the second-largest U.S. public school system. And though Los Angeles Unified School District quickly caught the breach, it has labored through the week resetting student and teacher passwords to access lesson plans and assignments.
The district superintendent said the attack had “catastrophic” potential, threatening to expose personal information of 540,000 students and 70,000 staff, disrupt classroom instruction and meal services and paralyze a bus system that takes 40,000 kids to school. It drew calls from the White House and prompted a sobering FBI warning this week to school administrators around the country:
Cybercriminals are targeting public schools — and holding them for ransom.
The Los Angeles cyberattack has put Bay Area school officials on high alert.
“Everybody’s jaw hit the floor a little bit,” said Robert Sidford, director of technology and innovation at Mt. Diablo Unified School District, adding that it wasn’t so much that such an attack happened, but that it penetrated such a high-profile target. “The shock is really more that they managed to get Los Angeles Unified, with 600,000 students.”
At Oakland Unified, the LA cyberattack prompted its information technology team to issue a message to all staff about being careful with emails from unknown senders and that contain suspicious links. Palo Alto Unified said the attacks were a concern but felt it had adequate security measures in place to help prevent a breach.
Ransomware attacks commandeer an organization’s computer networks, often through malware disguised as legitimate-looking emails with files or links that unsuspecting employees open and unleash upon the system. The hackers then steal sensitive information — trade secrets, personnel files, financial records and student records — freeze out access to the network and demand payment to restore access and return the files.
The cybercrooks threaten to publicize the stolen data and block access to the network if they aren’t paid, but FBI agents strongly discourage organizations from paying the ransom. Elvis Chan, FBI San Francisco Division Assistant Special Agent in Charge, said in three out of four cases, the hackers don’t restore all access and records and continue to make more payment demands.
“It’s a sucker bet,” Chan said. “Three out of four times they get the key but it won’t decrypt all the data, so maybe you only get 60-70% of your data back. Sometimes they don’t give you the key and move on. Or they may ask you for a second ransom. There’s really no honor among thieves.”
While the investigation continues into who hacked into Los Angeles Unified, the FBI this week said a shadowy extortion outfit known as Vice Society that first appeared in summer 2021 and is likely based overseas has targeted public schools with ransomware attacks. Chan said about 30% of Vice Society’s targets are public schools.
“This ransomware syndicate Vice Society seems to for whatever reason enjoy targeting the public education sector,” Chan said. “The education sector needs to specifically pay attention.”
FBI officials say ransomware is a growing problem. According to the FBI’s 2021 Internet Crime Report, U.S. ransomware complaints have risen from 2,047 in 2019 to 2,474 in 2020 and 3,729 in 2021, with losses jumping from $9 million in 2019 to $29 million in 2020 and $49 million in 2021. California led the states in overall internet crime victim losses of $1.2 billion in 2021. That includes ransomware, credit card fraud, scams and other crimes.
The report said ransomware tactics and techniques evolved last year and showed “growing technological sophistication and an increased ransomware threat to organizations globally.” The report specifically noted that remote work and online schooling during the pandemic sometimes made computer systems more vulnerable and “left network defenders struggling to keep pace with routine software patching.”
Chan said that there has been growing concern about a particular type of ransomware called Zeppelin that has targeted health care systems and hospitals.
The University of California-San Francisco acknowledged being a victim of such an attack in 2020. UCSF said it “made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
Last month FBI officials noted a disturbing new trend in which cybercrime syndicates working with the Zeppelin malware have franchised their operation, often to teenagers who can pay the $10,000-$20,000 franchise fee with a bitcoin or two bought with stolen credit card numbers.
“Not to say that 16 year olds in a basement wouldn’t target a small business, but we see a trend in the health care industry,” said Joe Oregon, chief of cybersecurity at Cybersecurity and Infrastructure Security Agency Region 9.
Oregon said public schools generally have struggled to keep up with the latest “cyberhygiene” practices, making them attractive targets.
Chan said the schools have been hit with both the Zeppelin and Hello Kitty, or Five Hands, ransomware. The most likely infection route into a network is an email, but they also exploit unpatched system vulnerabilities.
Sidford said extra federal and state funding for schools during the pandemic has helped with cybersecurity. But public schools, particularly in the Bay Area, can’t compete with Silicon Valley’s technology companies for in-house cybersecurity experts. So their technology officials must rely upon law enforcement guidance, vendor support and keeping updated response plans in case they are struck.
“It’s an ongoing effort that requires us to be vigilant all the time,” Sidford said. “Obviously when something like this happens, we talk about it and update our plans. When we send everybody home with a Chromebook, it’s increasingly obvious we need to pay attention to that.”