If 100 emails are sent to a school district, each one containing a dangerous hyperlink to a corrupted web domain, and 99 employees don’t click on it, that’s not good enough.
This is the reality facing local education agencies across the country, according to Paul Bischoff, a consumer privacy expert and editor of comparitech.com, a domain of security researchers. Bischoff, a Waynesville native, recently led an exploratory study finding that schools and colleges lost $6.62 billion in downtime alone from 77 ransomware attacks in 2020. Two school districts in Platte County are among those that have been affected in the last three years, along with one in Overland Park, Kansas, according to the study.
The study, Bischoff explained, commences from 2018 because ransomware targets have, since that time, been required to disclose if they’ve been a victim by statute and regulations in most U.S. jurisdictions.
“During that time your systems are down, you’re just hemorrhaging money,” Bischoff said. “By not being able to have kids in class, taxpayers are paying for something that’s not happening. And a lot of the time, the amount of money you lose from downtime is much more than the amount of money you lose from just paying the ransom, which is why schools are often willing to pay just to get kids back in class.”
When ransomware infects an unprepared agency’s servers, it encrypts all the data until an unlock key is provided. Most of the time, the method to do this is communicated to the victim in private, and it does work. Thus, Bischoff explained, it has become more and more common to retain cybersecurity insurance, immediately pay all demands and continue with normal business. But this only increases the scale of the threat.
“It’s kind of like this weird backwards economy where now people are ... rewarding the hackers because they don’t want to get caught out in the media for costly (security) missteps,” he said. “And that’s the No. 1 thing that’s going to encourage more hackers to jump on as they see other hackers making good amounts of money off this tactic.”
Ironically for educators, illicit domains of the internet offer programming scripts and tactical advice for download at affordable prices to would-be ransomware profiteers, who do not need to be skilled hackers. Thus, a district might be hacked, pay the ransom and get its servers restored, only to have one of its own students who — having learned about the reward available — acquires the tools online and shuts them down again.
“It’s not like they have to come up with anything original,” Bischoff said. “It’s much easier than it used to be to get involved in this sort of cybercrime.”