Ransomware in 2020 brought new angles and targets, including more cyber threats to schools. Digital attackers may have impersonated parents in a new attempt to get teachers to open ransomware.

When Ransomware Masquerades as a Class Assignment

At the beginning of October last year, Proofpoint flagged an email campaign using subject lines such as ‘Son’s Assignment Upload,’ ‘Assignment Upload Failure for [Name]’ and ‘[Name]’s Assignment Upload Failed.’ The scam mainly targeted teachers whose emails the attackers might have pulled off of public faculty listings on school websites. The body of the attack emails appeared to be written by the parent of one of the recipient’s students.

Using this disguise, the ‘parent’ told the recipient that their child had been unable to submit their class assignment “the usual way you guys do it.” They then said that their child had instructed them to email the assignment to their teacher because they “didn’t want to be marked late.”

Once opened, the document used Remote Template Injection to download a macro-laden document.

Enabling those macros caused the campaign to download malware executables from a free code hosting service. The macros also used a free web bug service to notify the attackers via SMS or email whether the downloaded executables had started up.

Those executables then loaded a custom ransomware strain written in the Go programming language.

The threat appended the ‘.encrypted’ extension to the names of all the files that it encrypted. It then dropped a ransom note entitled ‘About_Your_Files.txt’ on the infected machine’s desktop. This message instructed the recipient to pay $80 in bitcoin.

At the time of Proofpoint’s analysis, no one had posted a payment to the bitcoin address from the ransom note.

The Education Sector Under Attack

As schooling moved online, more threat actors saw it as a hunting ground. Ransomware attacks in this sector surged between the second and third quarters of 2020. Emsisoft found that eight colleges, universities and schools suffered a ransomware attack in Q2 2020. The next quarter, that number jumped to 31 incidents — a growth rate of 388% for ransomware in 2020.

The public school district in Hartford, Connecticut delayed its first day back for students after ransomware attackers compromised approximately 200 city servers. Some of those affected assets served the school, reported The New York Times. Others were in use by emergency personnel.

Near the end of September, a ransomware attack hit the Clark County School District in Las Vegas, Nevada. When school officials refused to pay the ransom, those responsible for the attack responded by publishing stolen Social Security numbers, student grades and other private data.

A few weeks later, both the Yorktown and Croton-Harmon school districts in New York experienced ransomware attacks that affected their laptops and desktops. Around the same time, the Springfield Public Schools district in Massachusetts temporarily closed schools while law enforcement investigated a ransomware attack.

How to Defend Against Ransomware Attacks on Schools

The campaigns described above highlight the need for defenses against ransomware threats. Educational institutions can do this by monitoring the network for signs of attackers using a compromised work account. In particular, they can leverage user behavior analytics to quickly respond to instances where an account appears to be engaging in suspicious behavior involving company data or systems.

Organizations also need to prepare themselves for the possibility of ransomware threats. In particular, invest in creating an incident response team and an incident response plan for school ransomware attacks. IT departments can test those assets on an ongoing basis.