LAUSD Ransomware Attack: Action Too Little, Too Late?
Going back to school in a pandemic after a long summer is frenetic enough without a ransomware attack disrupting educators’ best-laid plans. The Los Angeles Unified School District avoided just such a disruption after it discovered a ransomware incident Saturday night, September 3, 2022, just days before schools were set to open after the U.S. Labor Day holiday.
“Los Angeles Unified detected unusual activity in its Information Technology systems over the weekend, which after initial review, can be confirmed as an external cyberattack on our Information Technology assets,” the school district confirmed in a release. “Since the identification of the incident, which is likely criminal in nature, we continue to assess the situation with law enforcement agencies.”
Two days after LAUSD discovered the ransomware intrusion, the FBI warned that it as well as the “CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.”
Despite the disruption to the school district’s system infrastructure, schools opened on September 6 as scheduled for the more than 640,000 students it serves. “While we do not expect major technical issues that will prevent Los Angeles Unified from providing instruction and transportation, food or Beyond the Bell services, business operations may be delayed or modified,” the release said. “Based on a preliminary analysis of critical business systems, employee healthcare and payroll are not impacted, nor has the cyber incident impacted safety and emergency mechanisms in place at schools.”
LAUSD “swiftly implemented a response protocol to mitigate Districtwide disruptions, including access to email, computer systems and applications,” the district said.
“This egregious cyberattack is the latest example of the pervasive threat that predatory cybercriminals pose to everyone from multinational businesses to young school children,” said Darren Guccione, CEO and co-founder at Keeper Security. “No one is safe from cybercrime and often the most vulnerable among us are the most likely to be targeted.”
“Schools are attractive ransomware targets for a variety of reasons,” said Matthew Warner, CTO and co-founder at Blumira.
Since most “IT leaders in education operate on a shoestring budget,” Warner said, “balancing operational IT spend as well as classroom ed tech, dealing with pressure from public audits and navigating administrative politics all points to the fact that obtaining sufficient budget for cybersecurity products is more challenging for IT leaders in education than other industries.”
John Bambenek, principal threat hunter at Netenrich, agreed. “K-12 schools aren’t flush with cybersecurity spend and it’s hard to think of a more important resource than student grades,” he said.
“Most public school districts are notoriously underfunded. They can barely pay their teachers, so how much do you think they are spending on cybersecurity?” said Token CEO John Gunn. “This underinvestment in cybersecurity makes them prime targets for amateur hackers; the ransomware pros won’t go after the public school districts because they know they have no money to pay a ransom.”
School districts also often lack proper cybersecurity staffing. “Most school districts don’t usually have a dedicated, full-time staff member focused on cybersecurity,” said Warner. “Plus, lower budgets in education make it difficult to hire and retain cybersecurity talent without a competitive salary to offer.”
Those challenges are amplified by a surge in the number of endpoints in educational institutions, which increases the attack surface. “Besides school-issued devices, most students and staff often connect their personal devices to the school network, which makes the environment particularly difficult to secure,” said Warner. “Colleges, in particular, have many personal devices on their network, since students bring both personal laptops and mobile devices.”
Staving off ransomware is a difficult task for even the most buttoned-up companies, so it’s not surprising that bad actors continue to target large schools and other organizations that Bambenek calls “the soft underbelly of society.”
In 2021, U.S. schools lost $3.56 billion to ransomware attacks, and saw two educational institutions “shut down for good,” said Aaron Sandeen, CEO at Cyber Security Works (CSW). “LAUSD seems to have minimized disruption, but it is certainly another reminder of what schools are up against.”
More recently, “the top causes of education breaches include unpatched vulnerabilities, connected devices, exposures in third-party software and exposures introduced by misconfigurations,” said Sandeen.
That seems to be what happened in L.A. “In this case, an unpatched vulnerability lead to Vice Society Ransomware infiltrating Los Angeles Unified School District’s systems.” CSW identified this specific scenario in its 2021 Q3 ransomware report and created a script any organization can run to identify the vulnerability,” he said. “Furthermore, we advise schools to keep up to date with the K-12 Cybersecurity Act and other advisories, implement CISA KEV and advisory patch recommendations sooner rather than later.”
Part of the problem is there seems to be a fundamental misunderstanding of ransomware’s threat. “People still have a diluted perspective on ransomware. There is enough out there on what it is, how it works, and a massive push to ‘stop’ it, but we never solved the foundational problems that make it possible,” said Steve Moore, chief security strategist at Exabeam. “Worse, the importance isn’t understood by most until it is fully experienced,”
LAUSD unveiled a variety of actions it has already taken or plans to take to guard against future security incidents:
- Independent information technology task force: Charged with developing a set of recommendations within 90 days, including monthly status updates
- Additional human resources: Deployment of information technology personnel at all sites to assist with technical issues that may arise in the coming days
- Technology investments: Full-scale reorganization of departments and systems to build coherence and bolster district data safeguards
- Advisory council: Charged with providing ongoing advisement on best practices and systems, including emerging technological management protocols
- Technology advisor: Directed to focus on security procedures and practices as well as to conduct an overall data center operations review that includes an assessment of existing technology, critical processes and current infrastructure
- Budget appropriation: Directed appropriation of any necessary funding to support information technology Division infrastructure enhancement
- Employee training: Develop and implement mandatory cybersecurity responsibility training
- Forensic review: Expand ongoing assistance from federal and state law enforcement entities to include a forensic review of systems
- Expert team: Creation and deployment of an expert team to assess needs and support the implementation of immediate solution
“Although the LA School District’s announcement includes sweeping changes, it’s a shame they didn’t make them before the crisis,” said Moore.
Noting that while “this distinction is usually unimportant to the victim in the middle of the event,” Sammy Migues, principal scientist at Synopsys Software Integrity Group, said, “we must remember to pull ransomware apart into a few topics.”
First, Migues explained, “ransomware is not really an attack, it’s a monetization scheme that happens after an attacker was able to get administrative access to some systems.”
That payment “doesn’t address the vulnerability that allowed the successful attack and, unfortunately, it doesn’t always get your data back either,” he said. And, “restoration from perfect backups that haven’t been corrupted by the attackers can still take quite some time across many users, servers and databases.”
While it is critical for an organization to get operations back online, “finding how the attackers gained initial access and fixing it is paramount; restoring systems that immediately get reencrypted won’t help,” Migues said.
“Ransomware is a missed intrusion, period—I hope their new advisory board understands this,” said Moore. “The attacks are only possible because of a weakness in an environment that begins with or later involves compromised credentials. If you unsuccessfully manage intrusions, you will eventually fail amazingly with ransomware.”
It is particularly galling to see attacks against organizations that have already had their share of disruption and woe during the pandemic.
“It’s sad to see these successful attacks against critical services, such as hospitals and schools, which often don’t have the resources to manage them,” said Moore.
Bambenek’s advice for organizations that can’t spend a lot is “focus on resiliency and ensure their disaster recovery plans, including replicating and restoring important functions like student grading.”
Image: school-bus–denisse-leon–unsplash
