PSBA Bulletin September/October 2021 September/October 2021 - Page 14

by malicious actors outside of the school communities . The first is a nontargeted attack , where a criminal is mass-mailing a phishing campaign to a large group of people or scanning the internet for known vulnerable software or servers . In these instances , the attacker doesn ’ t know – or even care – who the targets are .
“ Schools are exposed to these just like every other organization ,” says Levin . “ In the absence of employee training to identify these phishing attempts , or cybersecurity controls , a district can certainly be impacted by these types of attacks .”
In recent years , Levin notes that a “ more concerning ” trend has emerged where the attacker is specifically targeting the school .
“ These are carried out not only by someone who knows they ’ re attacking a school district , but actually does research on it ,” says Levin . “ They may know employees , key roles , use email addresses from the school district ’ s website or even send out emails pretending to be the superintendent or the principal .”
Typically , the attackers are motivated by the potential to hold important files and information for ransom , in an attack called ransomware . Ransomware is a class of malware that ’ s delivered in one of a few different ways . One is through a phishing email , which looks legitimate but actually activates the malware . For example , a school employee may receive an email that appears to be from an outside vendor and contains an attached invoice . But once that attachment is opened , it starts a program running in the background of the person ’ s computer system that spreads across the school district ’ s network , which could then be used to steal data from the district or encrypt files .
Ransomware attackers can steal large amounts of sensitive demographic data
Ransomware attackers can steal large amounts of sensitive demographic data about staff and students , and then encrypt the files so the district cannot access them without the decryption key . about staff and students , and then encrypt the files so the district cannot access them without the decryption key .
“ These are virtually impossible to reverse engineer ,” says Levin . “ They are essentially scrambling the content of the files with a software key . Then those individuals in the organization will get a pop-up on screen that their computer has been infected with ransomware , and that someone from that organization should get in touch with that criminal group to negotiate for payment to get the key to unlock it .”
This type of attack is similar to what happened to the Penncrest School District , located on the western side of the state . Dr . Timothy Glasspool , superintendent , notes that shortly after staff showed up on a Monday in February of 2020 , he was notified by his technology director that there were files that were locked down and encrypted in what looked like a cyberattack .
“ We literally had a ransom note that told us if we wanted to restore these files , that we needed to write an email using a specific ID number , pay a ransom in bitcoin , and then they would release the decryption key ,” says Dr . Glasspool .
From there , the district contacted Carnegie Mellon ’ s cybersecurity department , the district ’ s insurance company and local law enforcement . The insurance carrier got in contact with a digital forensic company to do a deep-dive investigation to figure out what happened . In the early stages of the attack , the district knew that certain files on a particular server were locked down and unable to be accessed , but the files were also historic , so staff wasn ’ t 100 % sure what exactly was being locked down .
“ At that point , we weren ’ t sure if the files were sensitive information , or just blank ,” says Dr . Glasspool . “ We just knew they were locked down .”
After further investigation , the district discovered that cyberattackers from
12 PSBA Bulletin September / October 2021