When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Ransomware Attacks on Education Sector Surged in June
Chris Swagler | July 13th, 2023
Last month, ransomware attacks struck the education sector again, causing severe disruptions and putting sensitive student data at risk. An editorial’s 2023 ransomware database analyzes monthly attacks against United States companies based on public disclosures, validated media reports, and data breach notifications submitted by state attorneys general offices. There were 29 reported ransomware attacks in June, a modest reduction from May’s ransomware activity. The figure represents only a tiny portion of global ransomware activity for the month, as numerous cybersecurity companies have reported recent increases. According to NCC Group, May had the second-highest documented global attacks this year, 436. The massive attacks against vulnerable MOVEit Transfer instances were also missing from the ransomware database.
Ransomware Attacks Surge in the Education Sector
Microsoft stated earlier this month that a threat actor affiliated with the Clop ransomware group stole confidential data by exploiting a zero-day vulnerability in Progress Software’s MOVEit Transfer product. A rising number of victims have emerged since then, including United States government agencies. However, no reports of encrypted data or systems have been made public. Even though the victims were not included in the June database because the attacks mainly comprised data theft and extortion, reports estimated that the Clop campaign damaged approximately 200 companies. While the number of confirmed ransomware attacks declined in June, the targets remained consistent with prior months, with schools in the education sector and municipalities accounting for 12 victims who disclosed an attack. However, it took six months for one victim to alert affected individuals.
One school in the education sector, Pearland Independent School District (ISD), verified an attack on November 8 in a letter to the Office of the Maine Attorney General on June 5. The district in Texas secured its networks and launched an investigation with cybersecurity experts. According to its website, the district has 23 schools, more than 1,300 teachers, and 21,000 students. There was no mention of law enforcement alerted in the data breach notification. The investigation indicated that data had been compromised on April 18. However, Pearland ISD says the evaluation process was not completed until May 18. The district alerted 10 Maine residents of the data security breach on June 5, and more than 5,500 people were affected in total. Names, dates of birth, addresses, and Social Security numbers were among the information that could have been accessed.
According to media reports from November of last year, Pearland ISD warned parents that threat operators behind a “recent breach” might try to contact them. Contacting victims directly is a technique ransomware groups use to pressure victims’ companies to pay the ransom. Another school in the education sector, the Lebanon School District in New Hampshire, announced a ransomware attack targeting the school system on June 15. As the investigation into the incident continued, it’s unknown whether threat actors stole confidential data. According to Valley News, Lebanon’s outgoing superintendent shut down payroll and other IT systems to limit the attack’s impact. On June 12, another education sector ransomware attack on the San Luis Obispo County Office of Education in California caused considerable disruptions. The Tribune stated on June 22 that after the breach was discovered, the office shut down all services, and payroll was done by hand.
An investigation is ongoing, and it is unknown what information or schools in the education sector were compromised; the agency appears to serve 14 districts in the education sector with students in grades K through 12. Some sections of the San Luis Obispo County Office of Education website were unavailable as of June 30. The attack was claimed by the 8base ransomware group, which NCC Group identified as the second-most active group in May. Aside from the education sector and municipalities, another subject in June was the technology sector. Last month, three organizations confirmed attacks: Reventics, based in Denver, Incredible Technologies, based in California; and Heavy Hammer, based in Annapolis, Maryland. Reventics, like Pearland ISD, took several months to deliver data breach notifications.
Reventics is a physician-focused clinical documentation improvement (CDI) and revenue cycle management (RCM) company. In a letter sent to the California Office of the Attorney General on June 5, Reventics disclosed that on December 15, a threat actor encrypted and potentially accessed information stored on its systems. According to the letter, an investigation showed that data was accessed on December 27, although the first customer alerts weren’t sent out until March 1. Reventics didn’t notify California individuals of a data breach until June. The timeline, however, wasn’t the most crucial aspect of the disclosure. The quantity and sensitivity of possibly exposed data were both concerning. Names, dates of birth, medical record numbers, patient account numbers, driver’s license, and other government-issued ID numbers, healthcare provider’s names and addresses, health plan names and IDs, diagnosis information, dates of services, treatment costs, prescription medications, and even the numeric codes used to identify services and procedures patients received from their healthcare providers were revealed in the revelations.
With more ransomware groups targeting schools and universities hoping to steal students’ most sensitive information, it’s always important for institutions in the education sector to remain vigilant of the current threat landscape and regularly update their data networks’ security infrastructure. At SpearTip, we assess the schools’ external security controls by simulating attacks from the public internet. The simulations aim to identify vulnerabilities that allow SpearTip to gain access to its internal environment from the public internet. A SpearTip External Security Assessment (ESA) is not simply a scan-and-send service; we probe for and validate vulnerabilities using advanced penetration testing techniques. Recommendations from the ESA enable schools in the education sector to harden their overall security posture, better positioning themselves against external adversaries. Our technical tabletop exercises are designed to review current IR policies and procedures by engaging with the schools in specific scenarios that test their analytical and remediation capabilities in the event of an incident. Our ShadowSpear Platform, an integrable managed detection and response tool, integrates with IT and security technology partners to enable the correlation of events from firewalls and network devices.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
