With its ability to bring an entire organization grinding to a halt, ransomware has become a scourge for all business sectors. While it might seem obvious for the opportunistic criminal ransomware gangs launching the attacks to go after more capital-rich industries, educators have increasingly become the target of choice. 
 
The FBI, CISA, and MS-ISAC recently issued a warning that US school districts are being increasingly and disproportionately struck by disruptive ransomware attacks, with K-12 institutions appearing to be the most common victims. Our own research has found that the education sector has consistently been one of the most frequent targets this year alongside government institutions. 
 
So why are educators such a popular target for these ransomware gangs, and what can institutions do to protect themselves? 
 
 
Why Ransomware Gangs are Targeting Educators 
 
Capital-rich sectors like finance and technology may seem to be the most significant prizes for profit-driven criminals. They are also among the best defended as they can afford higher budgets for security strategies and solutions. 
 
Education, meanwhile, is well known for its budgetary constraints. Cybercriminals know that many institutions lack the resources to invest in more recent security measures such as anti-data exfiltration. 
 
Further, ransomware is all about disruption. The bigger the impact on the victim, the more likely they are to meet the ransom demand – no matter how extortionate it might be. Callous criminals know that educators are highly vulnerable in this regard, with a ransomware infection leaving them unable to carry out essential administration and teaching tasks. 
 
In addition to ransom payments, the education sector serves as a rich source of personal and financial information that can be leveraged for subsequent extortion or sold on to other criminals on dark web markets for an easy profit. 

 
How Does Ransomware Impact Educators? 
 
The education sector is not as heavily disrupted by ransomware as mechanized industries like manufacturing, but an attack can still have a far-reaching impact. 
 
In August, for example, the Mansfield Independent School District in Texas was hit by an attack that took out its Internet network resulting in its email, phone, and web services going dark. While most classes were able to proceed, teachers had to move forward without the digital tools that have become mainstays of the modern classroom. 
 
Further, the Raptor identification system, which enables staff to screen and manage guests entering school grounds, was also disabled. As a result, no visitors were permitted access to campuses in the school district until systems were brought back online. 
 
The ransoms offered as a way of quickly making these problems go away have also become increasingly steep. In June of this year, the Glenn County Office of Education in California was hit by an attack that disabled its internet-based services, including voice-over-internet phones, emails, and financial software across the county. 
 
The perpetrators, the Quantum ransomware gang, demanded an eyewatering $1m to restore the system, extortionately high even by current rising costs. Still, the Office did eventually pay the gang $400,000. Such costs will be a disaster for any institution already struggling with its budget. 
 
 
Getting Rid of Ransomware from Schools and Districts 
 
The most dangerous element of a ransomware attack is the speed at which the malware propagates through the network and disables systems. An educator can easily find critical applications and databases locked down mere minutes after the infection begins – and a single click on an email or link is often all it takes to start the ball rolling. 
 
Even if the organization stands firm against the ransom demands, it still has to deal with the cost of remediation, restoring its systems, and the impact of disruption to its students. Educators should ensure they have remote system back-ups in place to ensure they can recover from any attack quickly. 
 
Even if the damage is repaired, the criminals are increasingly likely to have stolen data that will be used for extortion or sold to the highest bidder for use in fraud and further attacks. 
 
With this in mind, ransomware defenses need to focus on stopping attackers from entering the network in the first place. 
 
 
The Most Important Defenses for Educators  
 
Email security is one of the most important tools here, as strong filters will catch the majority of low-level attacks. However, threat actors have become more skilled at crafting emails that can bypass signature and keyword-based email scanners. This means it’s also important for staff and students to be trained in spotting the hallmarks of a malicious email. 
 
Institutions should have standard security solutions such as firewalls and Endpoint Detection and Response (EDR) tools to detect the presence of suspicious and malicious activity. However, more savvy criminals are now deploying ransomware designed to evade these defenses, so educators should also consider measures like data segmentation and anti-data exfiltration that will stop ransomware from easily spreading through the network. Anti-data exfiltration (ADX) tools can also be invaluable in preventing attackers from stealing sensitive data that can be later used for extortion. 
 
For educators looking to invest in their defenses on a limited budget, solutions that have a high potential for integration and automation will offer greater value. More automation will enable them to catch fast-acting threats like ransomware better, as well as reduce their expenditure on IT and security personnel. 
 
Ransomware gangs are counting on their victims being unprepared for the disruption and willing to pay up to resolve the crisis. Educators that can mitigate the chance of an infection and bounce back quickly will defy the bullies and deny them their payday. 

The author, Dr. Darren Williams, is the CEO and founder of Black Fog.