2019-20 may be year of ransomware
On Board Online • September 2, 2019
By Pauline Liu
In Japanese comic books, Ryuk is an angel of death. It is also the name of a computer virus that hackers have used to cripple the online systems of school districts across New York State during July and August.
Known attacks have involved the Lansing, Mineola, Rockville Centre, Syracuse and Watertown school districts.
Usually a demand for a ransom, payable in Bitcoin, is embedded in files installed by the virus, which encrypts files and blocks user's access to computer systems.
No ransom demands accompanied viruses in the Lansing, Mineola and Watertown districts, according to superintendents. But Rockville Centre hackers extracted $88,000 - all but $10,000 paid by the district's insurance company, according to a detailed Q&A document posted on the district's website.
In Mineola, Superintendent Michael Nagler said a district employee unwittingly downloaded the Ryuk virus in January by clicking on a "phishing" email. It installed another virus called Emotet that sat on the network for more than half a year. On Aug. 4, the hacker who had penetrated the district with the virus apparently sold access to the district's servers to another hacker who sent a command that encrypted all data on the network. Fortunately, the district was able to use offline backups and expects to restore about 90% of functionality by Sept. 4.
Nagler said that an official with the U.S. Department of Homeland Security told him that the department believes most school districts have Emotet or a similar virus residing on their networks, looking for vulnerabilities.
Because the viruses send messages back to the hackers, "One of our big takeaways is to monitor outgoing traffic as often and as carefully as we monitor incoming traffic," Nagler said.
Experts say the trend is clear: cyber extortion in schools is on the rise.
"Ransomware started to take off this year," said Douglas Levin of EdTech Strategies in Arlington, Virginia, which tracks cyber attacks against school districts.
The FBI has called ransomware the "biggest cybersecurity problem in the world." In 2018, the bureau's Internet Crime Complaint Center (IC3) received 51,146 extortion-related incidents, up 242% from 2017.
According to Kaspersky, a Moscow-based cybersecurity firm, ransomware demands average around $13,000 per attack though the highest paid out by one company was $930,000.
In a July 31 advisory, the State Education Department directed all educational agencies to report any suspected ransomware attacks to the New York State Intelligence Center, a counterterrorism unit within the New York State Division of Homeland Security & Emergency Services at (844) 628-2478.
Sharon Cates-Williams, deputy commissioner of SED's Office of Performance Improvement and Management Service, has also asked districts that suspect they are victims of a cyberattack to notify:
- The BOCES district superintendent.
- The local Regional Information Center.
- SED Chief Privacy Officer Tope Akinyemi at (518) 474-0937 or email@example.com.
NYSSBA advises districts to contact their insurer, as well. "That probably would be my first call," said NYSSBA Executive Director Timothy G. Kremer.
New York's two leading public school insurers, New York Schools Insurance Reciprocal (NYSIR) and Utica National Insurance Group, say they can help districts sort out their financial options if attacked by ransomware or other malware.
Also, if anyone is going to negotiate with ransomware attackers, it's often the insurance carriers, according to industry experts. Districts will also need to find out if insurance will pay to restore the system minus the cost of any deductible.
"So far, there are low number of (ransomware) claims," NYSIR Assistant Executive Director Thomas Austin told On Board, noting that the company offers free online workshops on cybersecurity as part of its risk management program.
NYSIR members, which total 356 districts and BOCES, have been provided with $250,000 of base level cybersecurity coverage included with their general liability coverage for the past few years, Austin said. For an additional premium, coverage limits of up to $1 million are available. Deductibles vary.
Coverage available for ransomware, specifically, is limited to a figure that Austin declined to disclose. Whether or not NYSIR can provide ransomware coverage is reviewed on a case-by-case basis, Austin said.
Utica National currently has no open ransom demands or claims from districts in New York. However, recent claims have involved other information technology issues including data being compromised.
Utica National offers districts a Cyber Suite coverage with limits ranging from $250,000-$1,000,00. But not all its customers have elected to purchase it, and the coverages are individually underwritten and subject to approval.
One issue of ongoing debate is whether victims of ransomware should pay the ransom.
Financially, it may be appealing. Last year, the city of Atlanta was targeted in one of the most serious ransomware attacks against an American municipality. According to published reports, the city did not give in to the hackers demands for about $51,000 in Bitcoin. Instead, restoring the computer system wound up costing the city about $17 million.
"Apparently, some districts not only pay the ransoms, but publicly acknowledge doing so," said Erin Gilsbach, a Pennsylvania school law attorney who specializes in cybersecurity and will be speaking at NYSSBA's Annual Pre-Convention School Law Conference in October. "I question whether that's considered a best practice."
The FBI has long recommended against paying a ransom to criminals, because the payment doesn't guarantee an organization will regain access to its data. Plus, it might encourage criminals to commit more attacks.
"Paying a hacker's ransom is not always the best choice, but ultimately, it's their choice," FBI Public Affairs Specialist Sarah Ruane said.
If districts are faced with ransomware demands and make the decision not to pay, they also need to determine if they can run their schools without access to data.
"Even if they have a back up system, it takes about two weeks to restore data," Gilsbach said. "That's too long for some districts."
In addition to ransomware attacks, a number of school-related data breaches have made headlines across the state.
In the Gates Chili Central School District, a 17-year-old student faces felony charges after the student allegedly hacked into a former superintendent's account on two occasions to gain access to security camera footage and student data.
In early August, numerous New York school districts, including Rochester, Webster, East Irondequoit, Fairport, Brighton, Victor, Pittsford, Fayetteville-Manlius and Brockport confirmed being affected by a data breach.
The districts were among 13,000 current and former school and university accounts potentially breached after a hacker targeted AIMSweb, an online educational platform offered by testing giant Pearson Education. In a written statement, Pearson said it learned of the attack in March and there's no evidence that the unauthorized information has been misused.
Even though cybersecurity incidents appear to be on the rise, experts believe they remain underreported. Since he launched a data base in 2016 to track cybersecurity breaches in schools, Ed Tech Strategies' Douglas Levin has logged 544 incidents nationwide. He believes the actual numbers should be much higher.
"It's way worse than I've publicized and probably 10 to 20 times more frequent, but people are embarrassed to come forward," Levin said.
Through its cybersecurity audits of districts, the state Comptroller's Office has found that many districts failed to provide staff with cybersecurity training. The audits have revealed that computers assigned to employees were routinely used for personal and private matters.
To help reduce their risk of a ransomware attack, the State Comptroller's Office created an online management guide at www.osc.state.ny.us/localgov/pubs/lgmg/ransomware.pdf .
In the coming months, districts have plenty to be concerned about, according to experts. Gilsbach said she is concerned that ransomware is available to anyone on the black market.
"It's become malware-for-hire on the school front in recent years, which means there's more out there," according to Gilsbach.
And as some victims pay the ransom, the cost of ransoms could go up.
"When an attack is successful it's likely to be repeated," Levin said. "People learn that it can be lucrative."He said he's heard that cyberattackers, like kidnappers, set deadlines and sometimes increase the amount of their ransom demands.