LIVE@CoSN2024: Exclusive Coverage

In an alarming turn of events, school ransomware attacks are likely to cause more school closures than weather-related incidents.

Are ransomware attacks the new snow days?

School ransomware attacks are likely to cause more school closures than weather-related incidents

Key points:

In early January, the Des Moines Public Schools, the largest school district in the state of Iowa, fell victim to a ransomware attack that forced the district to take its network offline and students to miss more instructional time.

In addition to the disruption to operations, the district discovered that the attackers compromised the personal data of nearly 7,000 individuals, putting them at increased risk of identity theft and other crimes.

This is just one attack among hundreds as ransomware gangs relentlessly target the education sector. Disruptive ransomware attacks against the education sector have become so commonplace that they are likely to cause more school closures than weather-related incidents.

In fact, the number of attacks against schools is so high that the month of June was on pace to go down in the record books for the highest volume of disclosed attacks against education organizations to date.

A problem with few solutions

The Cybersecurity and Infrastructure Security Agency (CISA), which oversees protecting government agencies and our nation’s critical infrastructure, recently issued an alert about the growing risk to the education sector from ransomware attacks.

CISA also released updated guidelines for K-12 organizations, which is good. The problem is that guidelines cannot protect schools from ransomware attacks, and they do not provide any additional resources to help stem the tide of attacks on schools.

Ransomware groups continue to victimize the education sector simply because they are easy targets. The fact is, most schools lack the appropriate funding to stand up and maintain even the most basic security programs, let alone one that can go head-to-head with highly skilled threat actors.

Combine this with the fact that legacy security tools that are affordable to the education sector, like legacy Antivirus (AV) and more advanced solutions Endpoint Detection and Response (EDR) tools, are simply not capable of addressing the unique threat that ransomware presents.

Most every organization that reports being a victim of a ransomware attack was victimized despite having these security tools deployed. Ransomware operators and other threat actors routinely bypass, blind, evade, or otherwise circumvent these defenses with relative ease.

These factors together are why we keep seeing disruptive ransomware attacks causing school closures. And even if they had better endpoint protection solutions to assist them, schools would still lack the staff to effectively manage the attacks and realize any benefits in protecting their infrastructure.

Worse yet, these students whose personal information is stolen will continue to be at risk of identity theft and financial fraud well into the unforeseeable future. Ransomware attack trends that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain.

Security is not a state of being; it is a daily exercise that must include not just the right technology, but the right people and processes as well. But these all require funding, and the education sector already struggles with funding even the most basic functions required to educate students, let alone stand up a security program that can address today’s complex, multi-stage attacks.

Schools need more resources and expertise

To protect critical systems and sensitive data, organizations in the education sector must first reevaluate what kinds of data they collect and store, for how long, and where/how it is stored. Eliminating the unnecessary storage of sensitive data will make schools a less attractive target to attackers and help reduce risk after an attack.

Because the options for detection and prevention are limited for the education sector, they should focus on implementing a resilience strategy and assume they will be the victim of a successful attack with contingencies in place to recover as quickly as possible.

This approach includes endpoint protection solutions, patch management, data backups, access controls, staff/student awareness training, and organizational procedure and resilience testing to be successful.

For the technology aspect of a robust defense, organizations require adequate funding to implement Endpoint Protection (EPP) solutions, because they will catch some commodity attacks. If possible, they should also deploy an anti-ransomware solution alongside existing endpoint solutions (NAV/GAV/EDR/XDR) to bridge the gaps in ransomware-specific coverage.

They also need to ensure they have a good Patch Management program to keep all software and operating systems up to date and free from exploitable vulnerabilities. They should also assure that all critical data is backed up offsite and protected from corruption in the case of a ransomware attack.

For the people aspect, organizations should ensure they have adequate Access Controls in place by implementing network segmentation and policies of least privilege (Zero Trust). Additionally, they should have an active Security Awareness program to educate staff and students about risky behaviors, phishing techniques, and other social engineering techniques attackers use to gain access to a network.

On the process front, organizations need to implement regular Resilience Testing that can stress-test security solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems. Furthermore, they need to also conduct regular Procedure Testing where they can prepare for failure of their defenses by running regular tabletop exercises that include all stakeholders to ensure they are ready and available to respond to an attack at all times.

The takeaway

We will never be able to stop ransomware attacks, but we can prevent attackers from achieving all their objectives by taking care to prevent the exfiltration of sensitive data, by blocking the execution of the ransomware payload, and by having the capabilities in place to rapidly recover systems and data by minimizing any potential downtime.

But schools cannot do this without adequate funding. Guidelines are an important first step to protecting our educational institutions from the impact of ransomware attacks, but they cannot implement guidelines if they do not have the prerequisite resources and skilled personnel.

If we are serious about protecting our education sector, preventing school closures due to ransomware attacks, and protecting our students from the risk of identity theft, we need to bite the bullet and make sure schools have the funding they need to be successful in the face of well-resourced attackers.

It comes down to a choice, and whether we want to collectively invest in protecting our schools and students from cyber snow days or continue with the status quo.

Defending against the most common cyberattacks
Safeguarding K-12 school networks with proactive cybersecurity approaches

Sign up for our K-12 newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Want to share a great resource? Let us know at

New Resource Center
Explore the latest information we’ve curated to help educators understand and embrace the ever-evolving science of reading.
Get Free Access Today!

"*" indicates required fields

Email Newsletters:

By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

eSchool News uses cookies to improve your experience. Visit our Privacy Policy for more information.