As hackers increase ransomware attacks, Michigan schools try to respond
Schools are increasingly becoming targets of ransomware attacks. In the attacks, criminal hackers find a way into a school’s computer network, then shut down the school’s systems and hold its data hostage hoping for a payout.
Hackers have hit a number of Michigan school districts and colleges in recent months.
Michigan schools targeted
A ransomware attack forced some schools in Jackson and Hillsdale counties to close for three days in November. The response can be costly. After that attack, the Jackson County Intermediate School District Board of Education approved a new 3-year contract for cybersecurity services from an outside vendor.
Superintendent Kevin Oxley spoke at the board of education meeting in December.
"We warn [teachers] not to click on links from people you don't know. But, literally, they're being asked to click on links from people they don't know all the time."Matt McMahon, Associate Superintendent for technology for the Gratiot-Isabella Regional Educational Service District.
"I've been telling my colleagues across the state, if you're not putting something in place on your network like this, you're really gambling," Oxley said.
The contract will cost the ISD about $84,000 in the first year with increases after that. Member school systems will pay additional money based on their size.
In a statement to Michigan Radio, Oxley said he can’t comment on their specific attack because the investigation is ongoing. But he did say cybersecurity services are now, “just part of the cost of the normal operations.”
Jackson ISD is not alone. In September, a cyber attack closed South Redford Schools for two days. And in May, Kellogg Community College in Battle Creek and its satellite campuses closed for a couple of days after a ransomware attack.
"It doesn't surprise me that they were hit by ransomware any more than it would surprise me if I got hit by ransomware," says Matt McMahon, associate superintendent for technology for the Gratiot-Isabella Regional Educational Service District.
When we spoke to McMahon, he'd already been thinking about ransomware because that morning he and his team got an alert that some software was trying to implement ransomware one of the ISD's machines. During the interview, his colleagues were working to eliminate the threat.
Hacking in through your inbox
McMahon says email is a common way for attackers to gain access to a school’s computer system and because teachers communicate with so many parents, they’re vulnerable.
"They have to really be able to spot a bogus email. And that's really tough when you're dealing with thousands of different parents and you have to read them and you have to take their concerns seriously," he says.
"If a teacher is sitting there reading an email and it says, 'Look at what my Johnny did today or look at what so-and-so did today,' and it's a PDF, you kind of have to read it. We warn them not to click on links from people you don't know. But, literally, they're being asked to click on links from people they don't know all the time."
McMahon says that's why testing employees is critical.
"One of the most important things the school district can do is get their staff security awareness and training, and constantly test the staff with fake phishing campaigns. Send them out emails that look like a real phishing email, and if they click on it, get them some additional training," McMahon says.
And it’s not just email. Hackers will try to get into school networks through anything that has remote access, anything from computerized heating and cooling systems to security cameras.
Don't get comfortable
McMahon says to keep school networks safe, he and his colleagues use a checklist based on guidance from a federal cybersecurity agency.
It’s a long list. 153 items.
Like Jackson County ISD, some schools pay for private cybersecurity. Chris Bacon is the director of technology at CTS Companies, which is based in Bloomfield Hills. We asked him how a district can be expected to keep up with a seemingly endless list of tasks when there’s such a big risk at every turn.
"I think what I'll add on to that is the ever-changing list," Bacon says. "Just when you think you figured it out, don't look around because it's going to change on you."
Bacon says the hackers’ first priority is extortion, but sometimes they also take staff and student’s personal data or a school district’s banking information and try to sell it.
"Obviously [schools have] a lot of typical young adults' [information] there, probably clean credit histories, in the sense of [using them for] identity theft. Payment card data probably in there. There's a whole list of possible valuable targets there," Bacon says.
The evolution of hackers
In Bacon's experience, what cyber attackers want hasn't changed much, but their operations have.
"[M]ost of the groups that put on these attacks actually do care about you being able to recover your data," he says. "In the past, I would have said that it was more of a 'good luck' kind of response. Whether you did or didn't pay them, they really didn't care if the encryption keys that they gave you back to get your data unencrypted ... worked or not."
"But today, they're actually run like small businesses. They have support lines. If it's well known that, a majority of people that get encrypted pay the ransom and still are unable to unencrypt their data and in a sense get their data back after paying, they're going to be less likely to actually pay."
The FBI advises against paying a ransom for data and Bacon agrees.
"Ultimately it comes down to a decision that the business has to make," he says. "We would always tell our clients to to not pay the ransom. But that ultimately it comes down to a business decision, and if they weren't well-prepared enough to deal with the incident, they may have no choice."
Training kids and teachers. Software updates. Hiring outside support. It all helps, but even schools that make plans and have money to spend can find themselves the target of cyber attacks.
"Living in Michigan a great analogy is: I can be driving 50 miles per hour down the road at night with two hands on the wheels and my brights on, and a deer will still jump out in front of me, " says Matt McMahon from the Gratiot-Isabella RESD.
"You do what you can do, but the threat is there, no matter how well you do it."
Editor's note: Some quotes in this story have been edited for length and clarity. You can hear the complete audio near the top of this page.