Why governments, hospitals and, yes, schools are being held up for ransom.

A keyboard
A keyboard
nito/Shutterstock

Why governments, hospitals and, yes, schools are being held up for ransom.

How much would you pay to decrypt your data?
November 7, 2019

While you stepped out of your house, a criminal used a tool that has a catchy yet ominous name – like Ryuk or RobbinHood – to break in through a creaky door or loose window and change all your locks. Now, in order to access your home and its myriad valuable contents, your attacker is asking you to pay $100,000 for an intricate, one-of-a-kind key that will open the new locks. Your other option, of course, is to refuse to pay for the key, cut your losses and walk away from your home forever. So what do you do?

That’s the quagmire local governments, school districts and other organizations like libraries have found themselves in, as ransomware – a type of malicious computer software – grows in popularity as a means of extracting payments in the tens or hundreds of thousands of dollars. Unlike other types of malware, the goal of ransomware is not to steal your data and sell it to a third party for profit or use it to assume your identity. Instead, the goal of ransomware is to lock up your data and sell you the key that’s needed to recover it. In the past year, ransomware attacks have crippled cities like Baltimore, where an attack has amounted to nearly $20 million in related costs. In other instances, ransomware has targeted dozens of locales at once, like the attack this summer that held the data of 22 Texas towns for ransom.

Douglas Levin founded EdTech Strategies, an education, public policy and technology consulting firm, and has studied instances of all kinds of cyberattacks on local agencies like school districts. “Certainly this year, without question, one of the trends has been an uptick in ransomware attacks against school districts,” Levin said. Levin keeps what he calls a “conservative” count of ransomware attacks on school districts, including only the ones that have been publicly confirmed as ransomware, and not those which may be ransomware but haven’t been disclosed as such. So far this year, Levin has counted 45 such attacks on school districts. For all of 2018, there were 12.

This past summer, that trend has been evident in a spate of ransomware attacks hitting New York school districts. The state Education Department is aware of 13 school districts that have been affected by attacks and details have been publicly released about affected districts, including Rockville Centre, Syracuse and Watertown. While not all of those districts ended up paying the ransom to recover their data, the incidents have put a renewed focus on fortifying schools’ cybersecurity. Some experts say that the job isn’t all that hard – that all it takes is a little effort.

“Ransomware is kind of a tax on the lazy,” said Justin Cappos, a computer science professor at New York University. Poorly secured organizations happen to be entities like schools and governments that either haven’t put the effort in to back up their data or don’t have the technical wherewithal to do so, he said. “Assuming you’re doing the very basic things that every organization should do, this shouldn’t be a thing.”

Attackers get into a system through malicious software that might be accidentally clicked in an email or some other delivery system. The malware might lie dormant for months until the attacker decides to use it. Then, they take data that might be valuable to an individual or organization – whether that’s school or hospital records, or baby photos – and encrypt that information so that only the attacker has the key to decrypt it. Finally, the malware will usually display a message demanding ransom from the user in order to access their data again.

Given that, Cappos said, one of the best defenses against ransomware is backing up your data so that you have an extra copy to fall back on, rather than paying an attacker to access the copy they’ve encrypted. Another crucial measure, Cappos said, is regular software updates. “If you backed up your baby photos, then you’re not going to spend $1,000 to get access to them again. You’re just gonna wipe your phone, wipe your laptop, whatever it is, and just go from there,” he said. “Really, this is almost like they’re just hoping people don’t do backups and that they don’t apply software updates.”

Levin admits, however, that building more secure systems is challenging, especially when dealing with limited resources and working against sophisticated attackers. Having the most up-to-date software is important, but that’s not always thought of as a priority by vulnerable organizations. “The most recent operating systems are going to be harder targets to compromise. But often, that may mean that you need more modern machines to run them,” Levin said, adding that public agencies like school districts in particular struggle with letting go of older equipment that’s still functioning at a basic level, because holding on to antiquated equipment saves costs. “The fact of the matter is, the older the equipment is, the more likely it has a known vulnerability that has not been patched and the more insecure it is. You’re sort of paying the price for not updating your inventory in a different way.”

Some of the New York school districts that were attacked over the summer had taken the straightforward steps of creating regular backups, and avoided having to pay ransom. In July, the Lansing Central School District suffered a ransomware attack, but because the district had backed up most of its files to an outside server, no ransom was paid. Watertown City School District also suffered an attack, and though no ransom was paid, the district’s Superintendent Patricia LaBarr told City & State that they are working on cybersecurity protocols and have trained all staff in the basics of cybersecurity.

So far, there haven’t been public reports of attacks on New York City schools. “We have a dedicated cybersecurity team and robust, multifaceted protocols in place to ensure the safety and security of our data,” Isabelle Boundy, assistant press secretary for New York City schools wrote over email. “We work in lockstep with the Department of Information Technology and Telecommunications, NYC Cyber Command, and the New York Police Department, and conduct regular software upgrades and data backups.”

Similarly, there haven’t been public reports of ransomware attacks on New York City agencies, even as attacks on school districts and other organizations across the state were plentiful. New York City has a dedicated agency – New York City Cyber Command or NYC3 – leading cybersecurity efforts across all city agencies. “NYC3 has developed cybersecurity and intelligence partnerships across cities, states, the private sector and law enforcement, enabling NYC3 to constantly evolve the city’s defensive posture as needed,” said Quiessence Phillips, deputy chief information security officer for threat management at Cyber Command.

Other attacks this summer have demonstrated the costs of lacking that kind of preparation. For Rockville Centre school district, the price came out to $88,000 after one type of ransomware, called Ryuk, locked the district out of its own data. The payment was covered by the school’s insurance. Rockville Centre Superintendent William Johnson did not respond to a request for comment, but told Newsday in August that the district’s options were limited. “Look, nobody wants to pay anything, but if they encrypted the files and I don’t have access to them, it is difficult to run a school district without any historical data or emails, most of which were encrypted,” he said.

Rockville Centre isn’t alone in choosing to pay the ransom, and even for those agencies and organizations that have backups and other security measures in place, there are costs to these attacks. In September, the Monroe-Woodbury Central School District had to cancel its first day of classes after ransomware was discovered in their system. In that case, attackers may have underestimated the district’s cybersecurity defenses, as security software notified school officials of the attack in time to shut their system down before it could be held for ransom, and the district also regularly backs up data to an external server. Still, the attackers did pick a prime time to unleash their attack. Getting an organization back on its feet after an attack involves rebuilding the servers with the backed up data and ensuring no other breaches were made. All of that takes time, which is why the district had to start its classes a day late.

Even if the basic steps to protect against a ransomware attack are straightforward, that doesn’t mean that organizations like school districts have the foresight to make them a priority. “Organizations like a bank will spend a lot of money and time and thought (on) their computer security, their cybersecurity,” Cappos said. “They will go and harden their systems to make it very hard for something like ransomware to possibly cause any impact.” Schools, local governments and hospitals, however, are targeted under the assumption that their security measures aren’t up to snuff.

In March, the Albany city government was also hit with a ransomware attack. Albany had backed up its servers and didn’t have to pay the ransom, but the cost of recovering from the attack – restoring data, upgrading software, purchasing new firewalls and other security infrastructure – amounted to roughly $300,000. Officials in Albany caught the attack early, prompting them to shut down servers immediately and keeping the attackers from reaching the city’s critical systems – which meant that while the servers were down for a few days, the city never lost the ability to pay employees, for example.

Since the attack, the city has invested in cybersecurity, including building stronger network defenses and establishing a business continuity plan in the event of another attack. Most notably, perhaps, the city’s new budget includes funds to hire additional information technology staff. “We have expanded our IT department by 23%,” said Rachel McEneny, Albany’s commissioner of administrative services. “That’s a pretty big jump for a city that (doesn’t) have a lot of moving income.”

Staffing is an issue for school districts as well, Levin said, noting that a school might have one IT staff member for every 1,000 students. And even then, that person focuses on routine tasks like fixing jammed printers or installing computer monitors, not staying on top of the latest in cybersecurity.

If there’s a bright spot in all this, it’s that these incidents have forced local agencies and governments like Albany to prioritize prevention and preparedness efforts, and reports of the attacks may encourage unaffected organizations to prepare for the possibility of an attack. For months now, the state Education Department has been working on enhancing security protocols across the state in order to adopt a standardized approach. The Board of Regents is considering a proposed regulation that would, among other things, restrict when personally identifiable information is provided to a third-party contractor and standardize protocols across all state educational agencies to conform with the National Institute of Standards and Technology Cybersecurity Framework. Levin praised that particular framework, and called the adoption of it in New York a “very positive step.”

“Throughout these recent occurrences, the department has worked closely with and continues to collaborate with the state’s chief information security officer, the (state) Division of Homeland Security and Emergency Services and other state agencies in supporting affected school districts and educational agencies and in developing strategic guidance for best practice approaches,” a spokesperson for the state Education Department wrote in an email. Officials at the state Office of Information Technology Services declined to comment.

There are also efforts at the federal level to provide local groups with more support in preparation for an attack or in the event of an attack. U.S. Senate Minority Leader Charles Schumer is the co-sponsor of a bill that would authorize the U.S. Department of Homeland Security to provide help in protecting school districts and other local organizations from ransomware attacks, including by strengthening “cyber hunt” and “incident response teams” to be sent to organizations suffering an attack. The bill has passed in the Senate and a similar one passed in the House, and the two bodies are undergoing the reconciliation process. But as Wired has reported, there’s still a lack of knowledge in Congress about just how wide-ranging a threat ransomware is to cities and states, and some lawmakers are calling on the federal government to direct more resources to vulnerable organizations.

Together, efforts at collaboration across city and state agencies, and the prioritization of security measures, will presumably lower the chances that a ransomware attack will be effective. If an organization has strong firewalls or has backed up its data, attackers won’t be able to extract a ransom payment. But in the interim, organizations without those protections have a tough choice to make if hit with a ransomware attack. The prescription from law enforcement agencies like the Federal Bureau of Investigation is clear when it comes to cooperating with attackers: Don’t do it. The FBI protocol in responding to ransomware attacks is to not pay the ransom, and the bureau points out that doing so is not a guarantee that you’ll get your data back. Plus, paying the groups demanding ransom provides incentives for those attackers to engage in more of the same – or even other crimes. “If they pay, they’re funding this criminal organization,” Cappos said. “These criminal organizations are also often involved in really terrible things like human trafficking, drug trade, stuff like that. This is not an organization you’re going to make a charitable donation to.”

More collaboration and standardization of protocols would strengthen resistance to ransomware attacks, Cappos said. If no one paid ransom, attackers would have little incentive to continue launching the attacks. This summer, 225 mayors across the United States signed a resolution agreeing not to pay ransom in the event of an IT security breach.

Still, that approach works better when all cities, local governments and organizations are equally prepared for an attack – whether that means introducing education about preventing attacks, protocols for regular backups and software updates, or having knowledgeable staff who can carry out those efforts. After all, every house in your neighborhood could be perfectly fortified and prepared for an attack, but when your own house is left vulnerable, it’s up to you to decide how much you’ll pay to recover everything you own.

Annie McDonough
Annie McDonough
is a tech and policy reporter at City & State.
20191114