Threats 101
The Barkly Team
Apr 2018

Bad Education: As Cyber Attacks Against Schools Ramp Up, 5 Ways Districts Can Fight Back


Photo by John

Malware attacks against school districts are increasing in volume and complexity. Here are five simple steps district IT teams can take to protect their schools now.

Cyber criminals are rarely the evil geniuses pop culture makes them out to be. Mostly, they are opportunists who take advantage of vulnerabilities that allow them to harvest the proverbial low-hanging fruit. Unfortunately for educators, it turns out that the networks supporting local K-12 school districts are often ripe for the picking.

Vulnerabilities and budget challenges put school district networks at risk

Schools are particularly susceptible to malware attacks for a number of reasons. For one, schools haven’t historically had to make cybersecurity a high priority, and they don’t always have a great deal of experience in fending off attacks. Security measures have also traditionally been viewed more as an inconvenience than an important part of a school’s technology infrastructure (though, fortunately, that's beginning to change as headlines around security incidents continue to pile up).  

Another point of weakness is accessibility. Because they are usually designed to facilitate easy connectivity (free Wi-fi, etc.) and large numbers of desktop and mobile devices, school networks present hundreds or even thousands of potential points of entry into the network.

Most school districts also battle staffing and budgetary constraints, so their IT teams tend to be smaller and sometimes less well equipped than the typical corporate organization or government agency. Stretched thin, these teams don’t always have time to take proactive security measures. Nor do they always have the benefit of a robust endpoint protection solution designed to block the latest attacks. That can put school districts at greater risk because many ransomware and other malware campaigns have actively evolved to evade traditional antivirus detection.

Many districts also lean on third-party managed service providers to provide them with IT and IT security support. Because those providers are offsite, the use of remote administration tools, such as Remote Desktop Protocol (RDP), is also very common on school networks. While those tools provide convenience and greater accessibility, they also present a major risk if not configured and secured properly. Criminals are constantly hunting down systems with RDP exposed to the Internet, and there are even entire thriving marketplaces dedicated to buying and selling access to compromised RDP servers on the dark web.



The sectors with most hacked RDP servers for sale on xDedic. Source: Flashpoint

When security researchers at Flashpoint analyzed the xDedic marketplace in August 2017, for example, they found access for over 85,000 servers up for sale. Organizing the servers by vertical, they discovered the majority (nearly two-thirds) belonged to K-12 schools and universities.

Even a minor attack can have major repercussions

Because so many of today’s teaching resources are online, a loss of internet connectivity or access to files (triggered by ransomware attacks, for example) seriously impairs teachers’ ability to do their jobs. Even a brief and contained outage can be extremely disruptive for both teachers and students.

It’s also important to remember that the nature of the information contained on school district servers is actually very sensitive. It can contain current and past students’ names, addresses, and social security numbers, just for a start. This is exactly the kind of information that allows cyber criminals to steal or create identities, making it valuable on the black market.

Inside-look at two recent real-world attacks

All of these factors have contributed to an increase in the number of schools falling prey to malware attacks. Here are just a few of the stories that have recently made headlines:

Emotet trojan costs North Carolina school district $314,000

In December, employees at Bethany Elementary, Western Rockingham Middle School, and the Rockingham County School District’s Central Office were counting down the days till Christmas and the holiday break when several of them received an email with the subject line "incorrect invoice." The email looked like it was sent from the district's antivirus provider, so several employees opened it and clicked on the attached Word document. Doing so triggered an infection chain that eventually deployed the Emotet trojan, a dangerous piece of information-stealing malware notorious for its ability to spread throughout victim networks and for being extremely difficult to remove. 

In addition to stealing financial information and other credentials, Emotet has two devious methods of spreading. First, it attempts to spread laterally across compromised networks by brute-forcing access to other computers (hence infections on networks with account-lockout policies can trigger downtime). Second, it hijacks victim email accounts in order to send out new phishing emails, in effect turning the victim into a spammer. That can force another level of damage control on infected victims, who often have to explain to their contacts (in this case, parents, students, and vendors) that the emails they're receiving from the victim could infect them with malware and should be deleted. 

In response to the infection, the school board convened an emergency meeting and approved a 12-month, $314,000 project with an external provider to rebuild twenty servers that were compromised by the attack.

Related: Learn how an Emotet infection cost the City of Allentown, PA $1 million in recovery.

Idaho schools recovering for more than six weeks following massive ransomware attack

Also in December, Jerome County School District officials announced it had finally happened to them — a ransomware infection had encrypted much of the school district’s data and left the network crippled. Day-to-day operations were severely impacted. The fallout included a complete outage of the phone system for multiple days (during which parents weren't able to call), and a shutdown of Windows-based computers, which affected lesson plans.

Six weeks after the attack, some systems were still not functional. The attack forced the district’s three-person technology department (with help from some additional resources) to focus all of their attention on addressing the attack, including restoring and cleaning up systems, rebuilding computers, buying new equipment, and upgrading some server systems. In addition, because some of the backups were affected by the attack, some data was lost for good.

Related: Get rare, behind-the-scenes on ransomware recovery efforts during five real-world attacks. Download The True Cost of Ransomware: 5 Companies, 5 Attacks, and the Reality of Recovery.

Outclassed: Advances in attack techniques make it difficult to keep up  


WannaCry and its use of the leaked NSA exploit EternalBlue is an infamous example of how advanced hacking tools are gaining wider distribution and adoption.

Another factor working against school districts is the unfortunate fact that their lack of security maturity and resource constraints is at odds with rapid advances in attack tactics. 

The threat landscape is currently undergoing a massive evolution, driven in large part by the democratization of malicious attack techniques and hacking tools that were previously only used by the attacker elite. These advanced techniques and tools have now found their way downstream into the hands of common cyber criminals who are only too happy to put them to use against lower-profile targets like school districts. As a result, more small and mid-sized organizations are seeing sophisticated malware campaigns that go far beyond old-fashioned phishing schemes. 

With a veritable arsenal of plug-and-play attack components at their disposal, today's attackers often hold a distinct advantage over their targets, many of whom are still relying on legacy security solutions such as antivirus. 

But enough doom and gloom. How can school districts level the playing field?

Crib sheet: 5 things school district IT teams can do to fight back

Here are five things that can make an immediate impact on improving security without being large drains on resources or budget.  

1) Replace antivirus with stronger, smarter endpoint security

As hackers get smarter and gain access to more advanced tools, school districts need to make sure their security measures are keeping pace with the latest threats. Many of today’s attack methods bypass antivirus altogether. To achieve a higher level of protection, districts need more modern solutions that don’t rely on signature-matching and that include built-in defense in depth by utilizing both behavioral analysis and machine-learning-powered file analysis. Learn more about how Barkly checks those boxes and more.

2) Scan your network to see what ports are exposed and secure them

While email continues to be a popular attack vector for malware campaigns, more and more attackers are taking an alternative route, avoiding user interaction altogether and gaining access via Remote Desktop Protocol (RDP) connections or other shared access points. Ensuring that such points of entry aren't left exposed to the Internet and that access is restricted via VPNs, RDP gateways, and two-factor authentication can offer critical protection, especially against ransomware. In addition, conducting regular port scans can help flag any unchecked vulnerabilities.

3) Close the door on Microsoft Office as an infection vector

Hiding malicious code inside Microsoft Office documents and abusing their functionality to launch legitimate scripting engines or command interpreters has become one of the most popular methods of retrieving and executing malware. Disabling or restricting the use of macros, OLE/COM components, and Dynamic Data Exchange (DDE) in Office documents can go a long way toward mitigating this threat and make life for attackers much more difficult. 

4) Patch what you can. Isolate what you can’t.

Keeping up with patches can be an uphill battle (there were 14,702 CVEs published in 2017). Having a system or solution in place to help automate and manage a patching strategy is key, but so is segmenting your network in such a way that you can isolate systems that, for whatever reason, can't receive the latest updates or be patched right away. Limiting what these machines have access to can help prevent the spread of malware if they are compromised. 

5) Don't just have backups, actually test recovering from them. 

When it comes to backup, two very important principles apply: 

  1. Schrodinger's backup: The condition of any backup is unknown until a restore is attempted.
  2. 3-2-1 backup: Make sure you have three copies of your data in two different locations, one of which is offsite. That helps ensure that you’ll always have at least one off-site copy that can’t be encrypted by ransomware.

Making the grade: How even resource-strapped schools can take their security to the next level

Learn how Barkly helps school districts gain an unfair advantage over attackers by providing enterprise-level endpoint protection with none of the unnecessary complexity. It helps IT pros stop attacks, get the details they need (even from their phones), and get on with their day. 

Download the 1-pager or watch the video below. 


The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.