jamdesign - stock.adobe.com

Ransomware attack shuts down Baltimore County schools

Ransomware incapacitated Baltimore County Public Schools' network just before Thanksgiving, but the school system said students' Chromebooks and Google accounts were not impacted.

Baltimore County Public Schools became the latest victim of ransomware attacks against the K-12 education sector, which have seen increases in frequency, sophistication and ransom demands in recent months.

Since the start of the new school year, the hurried switch to remote learning brought on by COVID-19 has caused significant cybersecurity risks, which were only exacerbated by the recent holiday break. One school system that was especially impacted was Baltimore County Public Schools (BCPS), which was forced to close due to a ransomware attack that occurred just before Thanksgiving.

A press conference Tuesday revealed that the public school system's 150,000 students will resume virtual learning on Wednesday. In addition, the press conference confirmed that BCPS is working with additional IT support and county partners and that while some systems are back, many still remain offline.

BCPS first confirmed the incident on Nov. 25 through a statement on Facebook.

"Baltimore County Public Schools can now confirm we were the victim of a ransomware cyber attack. This caused systemic interruption to our network information systems. Our BCPS technology team is working to address the situation and we will continue to provide updates as available. For now, please don't use your BCPS-issued device," the statement said.

In another Facebook post on Friday, it was referred to as a "catastrophic attack on our technology system."

Since then, updates have been provided on the school system's website, including a statement from Nov. 28 which said BCPS will be "closed for students on Monday, November 30 and Tuesday, December 1."

The county continually warned students and teachers not to use any BCPS devices, accounts, systems or applications. However, a new statement Saturday on Facebook showed progress in the investigation.

"We now know that BCPS-issued Chromebooks were not impacted by the cyber attack. You may now safely use: BCPS-issued Chromebooks and BCPS Google accounts for students and staff. Please do not use BCPS-issued Windows-based devices until further notice. These are HP Revolves or ProBooks," the statement said.

Security experts and vendors say it's typical for most ransomware to target Windows systems and not Chromebooks or iPads.

"There are some ransomware variants out there that will go on Chromebooks, but we have not seen that in a lot of school districts," said Jared Phipps, senior vice president of worldwide sales engineering at SentinelOne. "I think what they're trying to do is target the servers and the ability of the schools to deliver the education versus targeting the people who are receiving the education."

Doug Levin, founder and president of education consultancy EdTech Strategies, said that in his experience, ransomware attacks are almost always limited to Windows devices or Windows servers.

"The devices that teachers and certainly that students use may be different than those that are used by the IT shop in running district operations," he said. "There are cases where school districts are affected with ransomware, but end user devices are not affected that much and that's because their back office applications are running on Windows machines."

According to Hank Schless, senior manager of security solutions at mobile security vendor Lookout, native applications like Google Hangouts and Apple iMessage are commonly used by threat actors to deliver phishing campaigns that kick off ransomware attacks.

"However, it's likely that school administrators may be lagging behind using traditional laptops and storing some data on premise," he said in an email to SearchSecurity. "This makes schools a key for ransomware attacks where data is not backed-up and is not secured by the latest cybersecurity protections."

One reason Chromebooks aren't highly targeted in ransomware attacks is because very little data is stored locally on these devices, according to Andrew Homer, vice president of security strategy at endpoint protection vendor Morphisec.

"Meaning an attack would leave minimal damage in terms of ransomware encryption or data exfiltration," he said in an email to SearchSecurity. "On the other hand, faculty and staff predominately use Windows and have greater access to sensitive data and private information. Basic security hygiene controls on these devices, such as timely vulnerability patching, are not well managed. Which is why it's these types of devices and users that threat actors target the most with broad ransomware campaigns that encrypt and exfiltrate sensitive information. This ease of compromise of Windows machines had made education a major focus in the attacker's business model. Meanwhile, IT teams are distracted trying to enable remote learning, providing an even greater attack surface to compromise."

Adam Kujawa, director of Malwarebytes Labs, agreed that ransomware against platforms other than Windows, such as Chromebooks and Macs, is less common.

"They often require additional infection to pull off successfully," he said in an email to SearchSecurity. "It's totally possible that those devices might be attacked, but highly unlikely that they would be targeted on a large scale in such an attack, especially if most data storage and endpoints platforms are Windows."

Another reason to target broader systems is purely financial: Students can't pay, but schools just might.

"Students are unlikely to pay any significant amount whereas the school faces a more difficult choice and might have to fulfill the ransom demand in order to get things back in order," Jérôme Segura, director of threat intelligence at Malwarebytes, said in an email. "The type of system (Windows versus iPad or Chromebook) plays a lesser role in my opinion."

Taking down the school and its ability to function means attackers have a better chance of making their money, Phipps said.

"With Chromebooks there's automatic backups so that recovery is pretty easy so I think that's why you don't see as many people focusing on that for the execution," he said. "I have seen in the last six to eight weeks, there's been a really big spike on school districts, really big school districts too. They're large -- they've got about 50 to 60,000 machines encrypted on some of these school districts right now."

Levin has been tracking school districts impacted by ransomware for a number of years. "This year, I would say in particular what's been different for me, is the number of high-profile, very large school districts that have been affected."

Ransom demands are increasing as well. According to Phipps, they typically reach $10 million now.

"I don't think the attackers are going to get paid that [amount] but that's what their demand is. It means somebody somewhere has paid some big things and they think they can go after them," he said. " If the attackers aren't making money, they'll stop doing this."

According to KnowBe4 security awareness advocate Erich Kron, the timing of the Baltimore attack, which occurred just before a significant holiday weekend, was no accident.

"Attacks during this time are designed to take advantage of the fact that these schools are working with a skeleton crew, or none at all, during the Thanksgiving holiday week," he said in an email to SearchSecurity. "It is very likely that the attackers have been in the network for weeks to months before launching the attack. This allows them to pick the most valuable targets and control the time to start the encryption in order to maximize the damage in the hope that the district will pay the ransom."

The spike in attacks against school districts has increased since the fall, but not in a linear fashion, Levin said.

"The threat actors who target school districts I think understand when and how school districts are vulnerable," he said. "There was a large spike around school opening and appears to be a spike around the Thanksgiving holiday and if data from the past holds true, I'll expect another spike around the holidays -- immediately before and immediately after. I think it's because those who are targeting school districts know the students are not being as closely watched during this time."

In addition to the BCPS ransomware attack, Huntsville, Ala., also dealt with a potential cyber incident over the holiday, which resulted in students being sent home early Monday with no return on Tuesday. A statement was published on Monday.

"Huntsville City Schools (HCS) is closing all schools and campuses for the remainder of the day due to a potential cybersecurity threat. HCS administrators are working with authorities to work to resolve the issue," the statement said.

It's unclear if the incident involved ransomware. An update was provided Tuesday on Twitter that said students will not "engage in remote/virtual learning for the remainder of the week."

SearchSecurity reached out to BCPS and HCS for comment but has not heard back.

Next Steps

Ransomware attacks continue to plague public services

Dig Deeper on Security operations and management