On September 5, Los Angeles Unified School District (LAUSD) announced that it had been the victim of a ransomware attack. The group behind the attack, Vice Society, threatened to leak the stolen data. The school district opted not to pay the ransom, and LAUSD superintendent Alberto Carvalho confirmed that the data was leaked in a statement on Twitter. As of October 3, the school district believes the impact of the released data is relatively limited, according to a report by the Los Angeles Times.
The LAUSD ransomware attack is just one incident in a larger trend of threat actors targeting the education sector. How can other school districts and educational institutions protect themselves?
The LAUSD Attack and Response
The root cause of the LAUSD attack has not been released, but some kind of social engineering, such as phishing, was the likely tool leveraged to access LAUSD’s systems and launch the ransomware attack, according to Keatron Evans, principal security researcher at technology training company InfoSec Institute, part of Cengage Group. Evans has conducted penetration testing, general security consulting, and incident response for school districts across the US.
“Vice Society has a reputation for being one of the few cybercriminal groups whose modus operandi largely remains unknown. Specifically, the group meticulously deletes all details related to their double extortion activities to hinder investigation and future recovery efforts,” says Itay Shohat, director of incident response and threat hunting at cyber technology and services company Sygnia.
On September 30, LAUSD released a statement detailing its response to the cyberattack, including the decision not to pay the ransom. “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”
The school district launched an independent information technology task force following the attack, drawing on cybersecurity expertise in the public and private spheres. The breach received federal attention with the FBI, the White House and the Cybersecurity and Infrastructure Security Agency (CISA) lending support, according to the LAUSD statement.
Education as a Target
Education appears to be increasingly a target of interest. Last year, 67 ransomware attacks impacted 954 schools and colleges, according to a report from cybersecurity consumer website Comparitech. The State of Ransomware in Education 2022 report from cybersecurity-as-a-service company Sophos found that 56% of lower education organizations and 64% of higher education organizations experienced ransomware attacks in the last year, an increase from just 44% of respondents in education from the company’s 2021 survey.
In September, CISA released an alert on Vice Society, warning that it has observed the group disproportionately targeting the education sector. The agency also warned that ransomware attacks on educational institutions are likely to increase: “The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.”
The vulnerabilities attackers exploit in the education sector are typically not much different than those in any industry, according to Evans. “What is different is the security posture, since schools are generally designed from an IT perspective to be more open as to support ease-of-use and functionality,” he explains.
Attackers are motivated by the sensitive data that schools safeguard. “They [schools] also host a large amount of sensitive data — such as student progress and behavioral reports, IEPs, and others — that can be leveraged by the threat actor to pressure the organization for paying the ransom,” Shohat says.
Addressing Cybersecurity in Education
Cyberattackers’ interest in the education system is well-documented, but many educational organizations lack the funding and staff of other sectors. “Public schools … spend the majority of their funding just trying to keep computers up to date enough to be useful, let alone secure,” Chester Wisniewski, Principal Research Scientist at Sophos, points out.
Respondents to the 2022 State EdTech Trends survey reported cybersecurity as a high priority. But the report found that just 6% of respondents said that their state provides enough funding for cybersecurity, and 57% of respondents said that their state provides very little or a small amount of cybersecurity funding.
States could receive more funding for cybersecurity through the Department of Homeland Security’s State and Local Cybersecurity Grant Program. The program will award $1 billion in grants over four years. Local governments, including school districts, are eligible to work with their states and apply as sub-applicants.
Though more funding is a possibility, school districts and educational institutions are still faced with the prospect of mitigating cybersecurity risk with limited resources right now.
“Due to budget constraints, schools should identify and focus on what is most important to protect. For sensitive assets such as student information, financial data, and personnel records, school districts should use network segmentation,” Erick Galinkin, Principal Researcher at cybersecurity company Rapid7, recommends.
School districts and other stakeholders in the education sector can review their current security and adopt best practices, such as backing up sensitive data, implementing multi-factor authentication, utilizing access controls, and investing in end-user training.
What to Read Next: