9 times cyberattacks disrupted education this year

As cyberattacks continue to rise in frequency and severity in 2020, EdScoop looks back on some of the biggest attacks this year.

a ransomware skull
(Getty Images)

Cyberattacks are on the rise everywhere, but educational institutions are especially vulnerable, evidenced both anecdotally by high-profile incidents and by research revealing rising frequency and financial impact of attacks.

One recent study found the number of cyberattacks against K-12 districts tripled between 2016 and 2019. Scoop News Group’s independent research of cyberattacks against universities, including ransomware attacks, are shows an increasing frequency of attacks, along with rising ransom demand, which administrators are often eager to pay so they can resume operations.

The spotty reporting of these incidents makes exact calculations difficult to pin down, but Verizon’s 2020 Data Breach Investigations Report shows that ransomware attacks in particular are on the rise for the educational services sector, now representing 80% of the 819 incidents logged in the most recent data-collection year.

Universities are vulnerable because of their decentralized structure and their need to cater to a diverse group of users that includes researchers, students who are increasingly connecting from off-campus, community groups, faculty and administrators. K-12 institutions are similarly vulnerable, though often more from a shortage of resources and expertise, as their administrators focus their efforts on educational concerns, not technological ones.

Here are nine times the bad guys won this year:

1. An HVAC attack in Michigan

1. An HVAC attack in Michigan, 1. An HVAC attack in Michigan

In January, EdScoop reported that over the holiday Richmond Community Schools in Michigan had been forced to extend its break after discovering ransomware had infected systems running its heating, telephones, copiers and classroom technology. The school restored backups and refused to pay the $10,000 bitcoin demand, but their attackers had succeeded in disrupting the school through an unexpected route: they’d found their way into the district’s network through a unsecured network connection to a heating and cooling system.

2. Gadsden ISD was hit twice

2. Gadsden ISD was hit twice, 2. Gadsden ISD was hit twice

In February, it was discovered that Gadsden Independent School District in Las Cruces, New Mexico, had been forced to take systems offline after discovering a ransomware attack. Ransomware attacks against K-12 schools are common in 2020; at least 18 ransomware attacks against K-12 districts have been reported in a year when pandemic concerns have distracted the usual local news reports and school reporting procedures. But for Gadsden ISD, it was the second time the Ryuk virus had shut down operations within months, having scrubbed 10,000 computers, replaced servers and rebuilt its email system the previous summer. Even so, the second time around, the district again refused to pay the ransom.

3. Michigan State hit with NetWalker

3. Michigan State hit with NetWalker, 3. Michigan State hit with NetWalker

In May, Michigan State University became the victim of a new trend in ransomware when it was infected by the NetWalker strain of malware. Instead of merely encrypting data, attackers had begun also to steal sensitive information and threaten its publication if they weren’t paid. The name-and-shame scheme was popularized last year by a ransomware variant called Maze, but attackers have honed the technique, finding success where the release of data is viewed as potentially more harmful to businesses that rely heavily on community trust. Facing down a ticking clock on a public website, though, administrators later reported that they chose not to pay, following the recommendation of law enforcement.

4. Michigan State slips up again

4. Michigan State slips up again, 4. Michigan State slips up again

This summer, Michigan State officials revealed a second security slip-up, this time a failure to secure the university’s online shop. Anyone who used the shop to buy Spartan gear between Oct. 19 and June 26 probably had their payment information stolen, the university said, after malware embedded into the website went undetected for months. The university estimated that the incident compromised the credit card numbers of 2,600 people. The school didn’t reveal how it had happened, but said its solution was to enforce mandatory “advanced training” for the website’s administrators.

5. NetWalker strikes again

5. NetWalker strikes again, 5. NetWalker strikes again

NetWalker continued its attacks against higher education when two more colleges were revealed in June to have been victims of the ransomware. Its operators claimed to have stolen files both from Columbia College in Chicago and the University of California, San Francisco, posting screenshots of the stolen file directories. In a letter, the attackers urged their victims into paying: “We have very highly sensitive data like social security numbers and other private information which we can send samples to you as proof. We hope that you care for your students and are willing to work with us before this sh!t hits the fan on your College.”

6. School start delayed in Connecticut

6. School start delayed in Connecticut, 6. School start delayed in Connecticut

Cyberattacks have continued into the fall, forcing some K-12 administrators to delay reopening classes. Hartford Public Schools in Connecticut reported earlier this month that ransomware had forced its systems offline, requiring it to delay the educations of its approximately 18,000 students. The attack, which targeted servers inside the city government, represented “the most extensive and significant” cyberattack to hit Hartford in the last five years, officials said. But the attack could have been much worse, they added, if not for a $500,000 investment in a network defense system made last year.

7. Not all attacks are direct ones

7. Not all attacks are direct ones, 7. Not all attacks are direct ones

Countless universities around the world were affected by a cyberattack against the digital service provider Blackbaud earlier this year. Attackers stole personal data from the company and weeks later it reported it had agreed to pay its attackers to delete the stolen files. Though the company could offer no proof that the files had truly been deleted, a statement released by the company said “we have no reason to believe that any data went beyond the cybercriminal.” Some of the U.S. universities affected include the entire California State University system; Lenoir-Rhyne University, a private school in Hickory, North Carolina; the University of Notre Dame; University of South Dakota; University of Central Arkansas; and Wake Tech Community College in Raleigh, North Carolina.

8. University of Utah pays big

8. University of Utah pays big, 8. University of Utah pays big

The University of Utah announced in August that they’d agreed to pay their cyberattackers $457,000 not to release stolen data. The stolen data, they said, represented only tiny percentage of what it held on its servers, but a cyberinsurance policy was used to cover much of the demand so as not to risk exposing the personal information of students or staff. “This was done as a proactive and preventive step to ensure information was not released on the internet,” a university statement read. Though the university didn’t disclose which group was responsible, at least one researcher blamed NetWalker.

9. UC San Francisco paid bigger

9. UC San Francisco paid bigger, 9. UC San Francisco paid bigger

In June, the University of California, San Francisco, paid out $1.1 million to its attackers, one of the largest ransomware sums on record in the public sector. The agreement came after a lengthy negotiation process and a starting demand of $3 million. The attack, which was initially detected on June 1 at the University’s School of Medicine, did not disrupt the school’s research on the novel coronavirus, its patient-care system or the campus’ network, school leadership said, but it wind up representing yet another victory for the operators of the NetWalker virus.