Ransomware And Zoom-Bombing: Cyberattacks Disrupt Back-to-School Plans

Covid back to school cyberattack

Cyberattacks have caused several school systems to delay students’ first day back – and experts warn that new COVID-related delays could be the new “snow days.”


A slew of ransomware attacks and other cyberthreats have plagued back-to-school plans — as if dealing with the pandemic weren’t stressful enough for administrators. Just this week, attacks in Hartford, Conn. and Clark County, Nev. forced public schools to postpone the first day of school, in what security experts say is a sign of more cyberattacks to come as more students head back to the classroom.

According to a Tuesday public announcement, Hartford’s ransomware attack caused an outage of critical systems, including the school district’s software system that delivers real-time information on bus routes. That led school leaders to delay Tuesday’s first day of classes – a mix of both virtual classes and in-person learning – until Wednesday.

Security researchers point to the incident as a sign that this year, cyberattacks may likely become the new “snow day” – particularly with the advent of pandemic-driven online learning. As students prepare to return to school, whether in-person or virtually, school districts are battling a slew of ransomware, phishing and virtual classroom hijacking attacks.

Threatpost Webinar Promo Bug Bounty

Click to Register

“In 2020, schools are facing more complex cyber-threats as the need for data, monitoring and contact tracing become key factors in students returning to in-person classes,” Heather Paunet, senior vice president of product management at Untangle, told Threatpost. “The other side of the coin is that many schools are beginning the year remotely, meaning that students will have longer periods of time where they are connected to the internet, and being a possible point of access. Managing student data and network access will be essential in both cases.”

Other recent ransomware attacks include one that hit the Clark County school district, which includes Las Vegas, during its first week of school, potentially exposing personal information of employees. And two weeks ago a ransomware attack against a North Carolina school district, Haywood County Schools, caused the school to close to students for days.

Another cyberattack earlier in July on the Athens school district in Texas led to schools being delayed by a week (and the district paying attackers a $50,000 ransom in exchange for a decryption key).

According to Recorded Future’s research, there have been nine recorded attacks against school districts in July, August and September (so far) this year. Additionally, there have been four attacks against colleges/universities during the same time frame.

Even in a pre-COVID world, schools are an attractive target for ransomware attackers because they can time the attack to disrupt the start of the school year, which may force schools’ hands in paying the ransom, Allan Liska, solutions architect at Recorded Future, told Threatpost.

“Ransomware actors target schools systems because, frankly, they are easy targets,” Liska told Threatpost. “Security teams are usually not part of school systems, which means you often have IT staff performing double-duty managing infrastructure as well as attempting to secure it.”

That was the case with Hartford’s ransomware attack, which hit the Metro Hartford Information Services (MHIS), the city of Hartford’s shared-services team that manages Hartford Public Schools’ network infrastructure. Threatpost has reached out to the City of Hartford for more information on the cyberattack.

Zoom-Bombing Continues

Beyond ransomware, schools face a slew of more novice threats as students return to learning during the global pandemic – including Zoom-bombing, a trend that began earlier in 2020 as the coronavirus lockdowns led to massive spikes in the videoconferencing service’s usage. These attacks occur when a bad actor gains access to the dial-in information and “crashes” a Zoom session – often sharing adult or otherwise disturbing content.

One 14-year-old boy from Park Ridge, Ill. was recently accused of sharing login information for remote-learning sessions at a high school, for instance, which resulted in Zoom-bombers hijacking virtual classes during the first week of school (Aug. 25 through 27). Meanwhile, a man was arrested after Zoom-bombing an online lecture by the University of Houston and making physical-bomb threats.

Kashif Hafeez, senior director at WhiteHat Security, told Threatpost that the sudden shift to remote learning has opened up many unprecedented attack surfaces that school systems were not prepared to support, and has left them vulnerable to a major security incident.

“As technology in our school systems continue to evolve, so do the challenges that comes with it, especially the cyber-risks which only continue to intensify in the education sector,” Hafeez told Threatpost.

Zoom, for its part, this week debuted two-factor authentication (2FA) as a way for teachers and students to protect their accounts. The feature is something the company hopes will stop threat actors from intruding into video conferences, one of the myriad security issues that have plagued the service—and inspired lawsuits against the firm–since its use skyrocketed during the COVID-19 pandemic.

For instance, phishing is another common back-to-school scam that cybercriminals will be looking to tap into with the surge of virtual learning. In 2019, researchers warned that students at hundreds of universities worldwide were being targeted with fake emails, which contained attachments or links to cloned university login portals or impersonations of university library administration login pages.

“In today’s environment, where schools are now operating remotely, they have significantly increased use of technology for teaching, learning and managing day-to-day operations,” said Hafeez. “This provides cybercriminals with new opportunities, significantly increasing the attack surface, and schools have now become more vulnerable to cyberattacks.”

Overcoming the Security Learning Curve

Taking even basic security measures — including educating teachers and students against clicking potential phishing links — are important for securing school systems. Securing students’ data, including student transportation, attendance and even, in pandemic times, health data like their temperature, is another risk that schools need to manage, Paunet told Threatpost.

“Administrators who are working with students remotely will need to ensure that both students and teachers are accessing their eLearning platforms through VPN connections or other secure login portals,” Paunet said. “These logins should have two-factor authentication when available, and ongoing training for teachers and administrators should be considered, so phishing emails, suspicious activity or unauthorized updates to their credentials can be avoided or identified.”

When it comes to ransomware attacks, such as the one this week against the Hartford Public School system, it’s also essential to ensure that systems are segmented throughout the network and that data is backed up, experts said.

“We often encourage network administrators to create access layers within their systems, like in this case,” said Paunet. “So, as they are diligently working to back up and regain access to student records, attendance and other information, they can ensure that once this data is regained, it won’t be compromised a second time through the other system.”

This story was updated on Sept. 11 at 9 a.m. with news of Zoom adding 2FA.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles