Syracuse cyber attack: Experts say schools easy prey for ransomware

SYRACUSE, NY – Cyber attacks like the one that crippled the Syracuse City School District’s computer system last week are increasingly happening at schools and municipalities nationwide that hackers see as potentially easy targets for extortion, experts say.

The district is still working to restore its computer system that was disabled last Monday. It has provided little information about the incident. But a source told Syracuse.com it was a ransomware attack in which the hacker is demanding money from the district to unlock its computer system. The district would not confirm or deny that.

There were 122 cybersecurity incidents at K-12 school systems last year, according to a report by the K-12 Cybersecurity Resource Center of Arlington, Virginia. The report says some of those incidents resulted in the theft of millions of taxpayer dollars, stolen identities, tax fraud and altered school records.

“Many school systems have not taken issues of cyber security seriously enough,” said Douglas Levin of EdTech Strategies, a consulting firm that runs the resource center.

Lee McKnight, an associate professor in Syracuse University’s School of Information Studies, said school systems are often easy targets for hackers. That’s because many schools have older computer systems and employees who have not been well trained in computer information security awareness, he said.

Ransomware attacks can start when an employee opens a bogus email that appears to be from a reputable source. Once opened, the email unleashes a virus that quickly spreads and locks users out of the computer system. Hackers send messages demanding ransom payments to unlock the system. Hackers often demand payments in Bitcoin, a digital currency that can be exchanged over the Internet without being linked to a real identity.

Criminals behind the attacks are rarely caught because the transactions are hard to trace, according to Levin.

Organized groups in Eastern Europe and other locations work full time to launch ransomware attacks, said McKnight. “It’s a job for them,” he said. “The bad news is this is easy. You don’t have to be a hacking genius.”

Whether victims should pay the ransom can be a real dilemma.

The FBI encourages victims not to pay ransom because doing so encourages more attacks. But in some cases, it is less expensive to pay the ransom than it is to hire experts and take other steps to fix and rebuild computer systems, Levin said. That’s why insurers often encourage victims to pay ransom.

The Leominster school district in Massachusetts paid a $10,000 Bitcoin ransom to hackers last year to unlock its computer system.

Horry County Schools, South Carolina’s third largest school district, paid nearly $10,000 to hackers in 2016.

Closer to home, the village of Ilion in Herkimer County made a ransom payment of $800 in 2014 to keep its computers running after two official looking emails released malware throughout its system.

Two Florida cities recently shelled out more than $1 million in ransom to hackers. Lake City paid $460,000 while Riviera Beach shelled out $600,000.

“With your heart, you really don’t want to pay these guys,” Riviera Beach Mayor Stephen Witt told The New York Times. “But, dollars and cents, representing the citizens, that was the right thing to do.”

The city of Baltimore recently refused to pay $75,000 to unlock its computer systems that were hacked by ransomware. The city has already spent more than $18 million to restore the system.

The city of Atlanta refused to fork over $51,000 in ransom payments after its computer system was hacked last year. The city subsequently spent about $17 million to restore its computer systems. Two Iranian hackers were indicted in the ransomware attack.

The city of Albany was the target of a ransomware attack in March. Its police department was unable to access crime reports and other records for an entire day. The attack also affected the city’s ability to issue marriage licenses and birth certificates. City officials said they did not pay the attackers.

The U.S. Conference of Mayors recently adopted a resolution opposing payments after ransomware attacks.

Businesses, hospitals and other organizations have also been hit by ransomware. The same strain of ransomware that struck Atlanta also crippled the computer systems at Hollywood Presbyterian Medical Center in Los Angeles. The hospital paid its attackers $17,000.

Renault, FedEx, Nissan and other big companies around the world were targets of a massive attack in 2017 by a type of ransomware known as “WannaCry.”

McKnight of SU said schools and municipalities need to do a better job of backing up their critical data to protect themselves from ransomware attacks.

Levin of EdTech said schools and other organizations need to make employees regularly change passwords and take other precautions to protect computer systems.

Comments are closed.