Ransomware attacks hit schools
Experts question intent, whether trend affects Arkansas
Black-hat hackers are increasingly targeting schools across America.
But that could be by accident, say experts in Arkansas, who question whether the trend — if there is one — has reached Arkansas.
“It’s interesting that they’re getting down to the schools,” said Elizabeth Bowles, president and CEO of Aristotle Unified Communications in Little Rock. “They’re looking for vulnerabilities, so when they find a vulnerability, they may not even know that it’s a school. I think the ransomware people, if they realized it’s a school district, they might pick another target. Those aren’t necessarily wealthy targets.”
Brajendra Nath Panda, a professor in the department of computer science and computer engineering at the University of Arkansas, Fayetteville, said hacking schools doesn’t make much sense.
“Usually those hackers go after organizations that have sensitive/critical data, which they cannot afford to lose (and cannot easily recreate if lost) and can pay [a] good amount of money to get the data back,” Panda said. “Normally, school districts do not have so much money to pay and, therefore, are ignored by ransomware attackers. Thus, the trend is not there nationally. I am not aware of any case in Arkansas.”
SCHOOLS IN CROSS HAIRS
Herb Lin, a cybersecurity expert at Stanford University, said he didn’t know if there was a nationwide trend of school hackings going on but that schools are a target.
“Schools are likely to be vulnerable,” he said. “And if the bad guys don’t ask for very much, it’s easier to pay them off than to try to recover files.”
The Associated Press has reported about school hackings in Connecticut, Ohio, Florida and North Dakota, but it was difficult to determine if there was any such occurrence in Arkansas.
Bill Sadler, a spokesman with the Arkansas State Police, said there’s no readily available “accounting” of cyberattack cases at Arkansas schools. He said many of those cases are turned over to federal authorities because the hackers are outside Arkansas.
Wm. Ryan Kennedy, chief
division counsel with the FBI field office in Little Rock, said he couldn’t provide any specific information or statistics regarding Arkansas schools being hacked.
Kimberly Mundell, a spokesman for the Arkansas Department of Education, said the agency doesn’t track computer hacking of schools. But the department does have a security awareness campaign that’s explained on its website, arkansased.gov/divisions/research-and-technology/security-awareness.
Spokesmen for the Arkansas School Boards Association and the Arkansas Association of Educational Administrators said their associations also don’t track hacking.
ARKANSAS LEADS
Ralph Malone, network engineer for the Arkansas School for Mathematics, Sciences and the Arts in Hot Springs, said Arkansas public schools aren’t as susceptible to cyberattack as schools in other states because, since the early 1990s, they’ve been interconnected and protected by the Arkansas Department of Information Systems, which has a division dedicated to security. He said the system allows Arkansas schools to share lesson plans and other educational information.
“We were light-years ahead of other states,” Malone said. “I still think Arkansas is head and shoulders above everyone because of the quality DIS is supplying, and it’s free to the schools.”
Janet Clark, a spokesman for the Department of Information Systems, said the K-12 Arkansas Public School Computer Network falls under its umbrella.
The network was established in 1992 to implement a statewide computer system linking all Arkansas public school systems and the state Department of Education as required by Act 4 of 1992, according to apscn.org.
“We started in 2015 and upgraded to an all-fiber, highspeed broadband network that was completed in 2017 and that shot us to the top of the nation as far as K-12 broadband connectivity,” said Clark.
“Arkansas is now one of only six states in the nation to achieve at least 100 kilobits per second (kbps) per student in 100 percent of its school districts,” according to a 2017 news release. “In fact, the state doubled that figure, meaning Arkansas students will now have access to a minimum of 200 kbps per student.”
The change meant the network was delivering Internet speeds 40 times faster than the previous network, according to the release.
Clark said DIS assists schools when they have cybersecurity problems, but she couldn’t tell a reporter about any of those incidents or provide any numbers. She said that information is “sensitive.”
“They’re kind of closed-lip about what they do,” said Malone. “You don’t really want any hackers knowing what you do.”
School districts are also tight-lipped, said Malone.
“They don’t want people to know they got hacked and what caused it,” he said.
Two Arkansas schools had their computer systems hacked around the beginning of 2017, according to newspaper articles. Both schools were in Boone County.
Mike Whitescarver, the information technology director at Valley Springs School District, said he received a message about 5:30 a.m. one day from one of the school’s nine servers saying it was having problems.
Whitescarver said he checked the server from a computer at home and an error message popped up on the screen.
“It basically said ‘You’ve been attacked by ransomware. Your data has been encrypted. If you want your data back, pay 7,000 British pounds.’” That was about $8,500 at the time.
Whitescarver said between 500 and 800 of the school district’s machines were infected. He conferred with Superintendent Judy Green. The school didn’t pay the ransom, he said.
“We just used backups and recovered what we could,” said Whitescarver. Some data was lost. “After that, I took more security precautions in locking down my work stations tighter, limiting user rights on the computer and then creating super complex administrator passwords on the server,” said Whitescarver. “Those are the basic steps that I took.
“Now if our server tells me we have a potential virus I check it out right away. I don’t let it linger for any period of time.”
Whitescarver said he contacted the FBI. After some investigative work, those officials told him the hackers were overseas and that there wasn’t much they could do about it.
Whitescarver said the Alpena School District was hacked a couple of months before Valley Springs. Alpena is 22 miles northwest of Valley Springs.
Whitescarver said he conferred with Travis Conner, the technology director for Alpena schools, after Valley Springs schools were hacked. He then sent an email out through a Listserv to school information technology directors across Arkansas.
Conner couldn’t be reached for comment. Neither could Alpena Superintendent David Westenhover.
CULPRITS ELUSIVE
Finding the culprit of a cyberattack can be difficult.
“The perpetrators of cybercrimes against schools and their motives vary from incident to incident,” said Kennedy, the FBI man. “They could be criminal actors motivated by profit, juveniles launching attacks as a ‘prank’ or conceivably even nation-state actors.”
Malone said most computer experts are hackers, but he differentiated between white-hat hackers, who do innocuous or helpful hacking, and black-hat hackers, who have malicious intent.
Malone said being able to hack a computer is a good talent for a cybersecurity expert to have.
He said they have “hackathons” for the students at the Mathematics, Sciences and the Arts school, which is a school for 11th- and 12th-graders under the auspices of the University of Arkansas System.
Bowles said there was a rash of attacks on governmental entities in 2017.
At the time, Aristotle hosted arkansas.com, the website for the Arkansas Department of Parks and Tourism, now called the Arkansas Department of Parks, Heritage and Tourism. But hackers apparently thought it was the state government website and tried to hack it.
“That site was fairly meddled with,” said Bowles.
But ultimately, the hackers were unsuccessful.
In December of 2016, the computer system at the Carroll County sheriff’s office was hacked. After they sent three bitcoin payments totaling $2,440, the hackers sent instructions on regaining access to information on the computer system.