Ransomware in 2020 brought new angles and targets, including more cyber threats to schools. Digital attackers may have impersonated parents in a new attempt to get teachers to open ransomware.

When Ransomware Masquerades as a Class Assignment

At the beginning of October last year, Proofpoint flagged an email campaign using subject lines such as ‘Son’s Assignment Upload,’ ‘Assignment Upload Failure for [Name]’ and ‘[Name]’s Assignment Upload Failed.’ The scam mainly targeted teachers whose emails the attackers might have pulled off of public faculty listings on school websites. The body of the attack emails appeared to be written by the parent of one of the recipient’s students.

Using this disguise, the ‘parent’ told the recipient that their child had been unable to submit their class assignment “the usual way you guys do it.” They then said that their child had instructed them to email the assignment to their teacher because they “didn’t want to be marked late.”

Once opened, the document used Remote Template Injection to download a macro-laden document.

Enabling those macros caused the campaign to download malware executables from a free code hosting service. The macros also used a free web bug service to notify the attackers via SMS or email whether the downloaded executables had started up.

Those executables then loaded a custom ransomware strain written in the Go programming language.

The threat appended the ‘.encrypted’ extension to the names of all the files that it encrypted. It then dropped a ransom note entitled ‘About_Your_Files.txt’ on the infected machine’s desktop. This message instructed the recipient to pay $80 in bitcoin.

At the time of Proofpoint’s analysis, no one had posted a payment to the bitcoin address from the ransom note.

The Education Sector Under Attack

As schooling moved online, more threat actors saw it as a hunting ground. Ransomware attacks in this sector surged between the second and third quarters of 2020. Emsisoft found that eight colleges, universities and schools suffered a ransomware attack in Q2 2020. The next quarter, that number jumped to 31 incidents — a growth rate of 388% for ransomware in 2020.

The public school district in Hartford, Connecticut delayed its first day back for students after ransomware attackers compromised approximately 200 city servers. Some of those affected assets served the school, reported The New York Times. Others were in use by emergency personnel.

Near the end of September, a ransomware attack hit the Clark County School District in Las Vegas, Nevada. When school officials refused to pay the ransom, those responsible for the attack responded by publishing stolen Social Security numbers, student grades and other private data.

A few weeks later, both the Yorktown and Croton-Harmon school districts in New York experienced ransomware attacks that affected their laptops and desktops. Around the same time, the Springfield Public Schools district in Massachusetts temporarily closed schools while law enforcement investigated a ransomware attack.

How to Defend Against Ransomware Attacks on Schools

The campaigns described above highlight the need for defenses against ransomware threats. Educational institutions can do this by monitoring the network for signs of attackers using a compromised work account. In particular, they can leverage user behavior analytics to quickly respond to instances where an account appears to be engaging in suspicious behavior involving company data or systems.

Organizations also need to prepare themselves for the possibility of ransomware threats. In particular, invest in creating an incident response team and an incident response plan for school ransomware attacks. IT departments can test those assets on an ongoing basis.

More from Data Protection

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Data residency: What is it and why it is important?

3 min read - Data residency is a hot topic, especially for cloud data. The reason is multi-faceted, but the focus has been driven by the General Data Protection Regulation (GDPR), which governs information privacy in the European Union and the European Economic Area.The GDPR defines the requirement that users’ personal data and privacy be adequately protected by organizations that gather, process and store that data. After the GDPR rolled out, other countries such as Australia, Brazil, Canada, Japan, South Africa and the UAE…

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today