How Hackers Hold Schools for Ransom

To try to put the attack on jessica school context. We reached out to dave bertie. He covers cybersecurity for the wall street journal. And he's been writing about this uptick in ransomware attacks across the digital world. There's been an explosion of ransomware this year. It's an increasingly common way. for attackers. to target businesses healthcare organizations nonprofits or as the case may be schools in the reason. Why is just because. It's an effective business tactic if you encrypt in organizations data. That's basically what they need to function particularly in a digital environment. So as you've had a business or school that have moved more remote learning. That sort of expands. The opportunities to take advantage are there demonstrably more attacks on schools this year. Are we just aware of them. Will the first thing that's always important to point out here is that it's hard if not impossible to count the dogs that don't bark there have been probably about three hundred fifty or more. Cyber incidents reported across the united states this year in schools in schools and others probably a few dozen have been ransomware but that said those are only incidents that have been publicly reported so in many cases schools. They don't wanna take the pr hit an embarrassing situation. They don't want people to know. They paid off a criminal group to get their systems up and running. They might just keep that on the dl and not notify anyone. Even though schools aren't the richest targets around one of the reasons that hackers focus on them is that unlike big businesses. They often aren't equipped to defend themselves. We have seen attackers really zero win. On some of these districts may or may not have built out. It departments in many cases in addition to them being sort of under funded over the course of years their it departments. The also had these really really insane strange just put on them so the coronavirus remote learning getting kids up and running with their chromebooks. Or what have you so. There's really a lot of moving parts here. And i think criminals are smart enough to take advantage of them. So yeah is there just sort of like a handful of people who are in charge in your typical school district of distributing the chromebooks and also guarding against malware. I mean i would say the vast majority of school districts they don't have dedicated cybersecurity professionals even in most districts aside from the larger ones. You don't have that much of a built out. it staff. I talked to the chief information. Security officer of seattle public. School district is a very large school district in the grand scheme of things the only have eighteen. It people for that entire district of that team. Only two of them are dedicated on cybersecurity. So when you're in a position where you are suddenly thrust into remote learning environment and you need to get tens of thousands of devices online with seattle. I think it was fifty three thousand devices for students alone. I mean you really spread thin across a very big network of devices and potential threats. The threat of ransomware attacks has extended to fertility clinics and company providing software for one of the covid vaccine. Trials and the human consequences can be harrowing. There was an incident in germany where a hospital was targeted with ransomware. And as a result of that who is actually in an ambulance on her way to the hospital had to be diverted into another facility about thirty minutes farther away and this wounded women ended up dying. She didn't get care especially needed to get so german. Prosecutors basically tried to connect those dots they were asking the question can we show in a legal way. Causation between these attackers can we show causation. That they actually causes woman's death and ended the day they couldn't it was more of a correlation not causation situation. And i think that was the closest that we've come collectively to getting to a point where we're saying. Oh there's actually a cyber attack that has taken someone's life Let's walk through how this happens. Let's say you are a school administrator or hospital. it percent what do you notice. I will typically you know if if you really if something's wrong with your laptop and you really need to get to work you'll call the. It guy you'll always it guy and you'll say hey what's up with my laptop. I can't log into my email. Then typically they'll run through some scans and see that something's wrong with the system. They'll eventually get some sort of communication from one of these ransom. Learn groups saying. Hey we're here we've gotten into your system. We've locked up your data and we want x. Number of bitcoin in response. So that's really when it sort of gets this point where a school or business has to decide okay. Are we going to alert law enforcement. Are we going to call an outside forensics firm to try to understand what happened. Have we backed up all of our data within our system. And how quickly will be able to get that back. Do we want to pay this ransom payment. Like is the tradeoff. Good enough for us to do that. So there's a lot of moving parts that a lot of Businesses or schools or hospitals have to evaluate is all as happens the baltimore schools. Where just by works. They shut everything down. They sort of put everything on pause for a couple of days. Is that standard. Yeah i can typically standard. I talked with a school district in southern california. A administrator notices email was down the. It guys said it's ransomware for sure. So they physically went to every device in their school district. So we're talking about a school district of six thousand kids. Went every room went to all of their offices. Disabled unplugged device in that entire school district. And that's that's one way you know sort of a crude way of trying to limit the spread of of these things and then obviously on the back end when all these problems need to go through each and every one of those devices can them makes your their clean. Get them back online. What how often do victims turn to outside help whether that's law enforcement or whether that is digital forensics company to help them abc's extremely common there is entire ecosystem cybersecurity firms specialized in this sort of work. So you have a forensic firm that might come in to try to understand. Hey this is exactly how they got in to your computer system. This is exactly the type of software that they're using. This is exactly the type of data that they took from your system. In addition to that you have other groups. That are adept at negotiating. They actually talk to these groups. They have long term relationships in some cases with many of these groups and they say we can talk them down from ten bitcoin to five bitcoin. Whatever whatever the the number is the so it is sort of an emerging field just within cybersecurity as this is becoming a bigger and bigger problem. How much money are we generally talking about. Because my husband actually just how to ransomware attack on his nonprofit theater company and the attackers were asking for fifteen hundred dollars in bitcoin and eventually they said you know what we're not gonna pay them. We have the backed up data but they did have this moment of thinking in the scheme of our business. It's not that much money like. Are we talking about people who are shooting for big amounts or you know are they targeting twenty five different places for relatively gettable sums across the security community. It's broadly understood that ransom demands are basically going up. The trend line is pointing upward. But it can vary between in the thousands of dollars like as as a case with with your husband. But if you're getting to a larger corporation you have some people who specialized in this area saying that ransom demands could be ten million twenty million dollars. Well so i mean. Obviously attackers are smart enough to know they're not going to go with to attend with a ten million dollar demand to a school district. That certainly can't pay that in. That would make it an easy decision for them. They're they're trying to find like the right price point as well where they can have some sort of a six rate. Do school districts do hospitals. Do these places tend to pay. It really varies. It depends on what type of data has been encrypted. It depends whether those school districts have backed up their data beforehand which would make sort of rebooting the system much easier but what is almost always true. Is that school very cagey about saying whether they paid. No one wants to say that. They paid off a hacker that they gave someone from a country in the side of the other side of the world. A million bucks get their systems online. It's a very difficult. Pr situation for any organization or school to tiptoe around because it says what your system is rable and that you're willing to pay or that you just were bad cybersecurity. I mean all of the above. And i think one of the sort of broader questions that the entire cyber community is really wrestling with is. Should you pay broadly speaking. Are we incentivizing hackers to keep taking advantage of schools or keep taking advantage of businesses if they keep on paying and i understand that argument completely. It's it's very straightforward point of view on the other hand. If your business is offline for two weeks or a month or if your schools taken off line paying off might be the better option to you if it means basically losing all of your customers or you know having kids go out of school for a month or so. Dave says it's a bit of a vicious cycle vulnerable systems plus a willingness to pay tends to lead to more attacks but the victims are only half of the equation. The other half the perpetrators behind that screen demanding. Bitcoin are part of a criminal industry. That is surprisingly organized. One of the interesting things that cyber security researchers really say is these groups oftentimes act almost as corporate entities. They're very professional. They have partnerships between groups at times they subcontract to specialists within the hacking profession. If they have you know someone who's particularly adept at getting into a system. They'll go to that person to try to launch their attack. So you'd really do have this sort of our in de element almost a within the hacking community when it when it comes to them trying to hone their craft and zero win an exactly the right targets when people are negotiating or even having a conversation with. The attackers are to be trusted. Like you know are. Are you gonna trustees folks if they say like okay. Pay us are fifteen hundred bucks in bitcoin. And actually you're going to get your data back or is that a terrible idea. You would think that criminals are not to be trusted in. Obviously they're they're not But at the end of the day these groups are also playing a long game when it comes to their business and they have as i said a reporter with some of these negotiators that work with businesses and schools. If they don't pay if they don't decryption data after you pay them money. Those negotiators will know for their subsequent clients and they will know to not advise clients in the future to pay. So you had this weird dynamic that develops were. The groups are actually like worried about their sort of like brand in some respects. That's completely fascinating. Yeah it's totally wild thing and one lawyer who works in a lot of these investigations like re recently told me we don't wanna get to the level buber comparing it to customer service. But they're like definitely getting to a point where once you pay up in some cases they're trying to be helpful so that in the future they're known as sort of an honest broker while attacks may be more. Frequent ransomware isn't new like with so many other things cove it just accelerated existing trent so we have just seen a growth in the amount of ransomware with some of these criminal groups that have been long established in countries around the world just gravitating toward an effective tool that they're using so when you talk to cybersecurity researchers who follow this closely attribution is very difficult but they tend to say that the countries in which these types of groups operate our might might be the ones that you tend to think of korea iran china countries in the soviet bloc or central asia countries that may tend to look away when cyber criminal groups within their own borders launch an attack on a us business and do foreign governments step in or they unhelpful. I think it's safe to say that the the reason why a lot of this activity oftentimes stems from those countries is because the government's take a more lax approach some of this hacking particularly if it's sort of geared at the united states the. Us government recently has tried to warn businesses against paying somewhere demands. They basically have looked at those states. In particular places like north korea and iran and they've issued warnings to companies saying. Hey if you're targeted by ransomware think twice about paying anyone who is affiliated with someone who sanctioned from those countries. You could violate sanction rules by actually paying up this ransomware. I was really struck by that. Yeah the treasury department was basically sort of saying. Gee even if you're a victim you might be maybe committing a crime here if you pay up. What was their reasoning. Their i mean. I think goes to that discussion that i was mentioning earlier about how we're creating a market for ransomware essentially and i think it's it makes sense to the. Us government's official policy as we shouldn't pay people on our sanction lists and create this market. That said if a company that employs ten thousand or twenty thousand americans has to choose between paying one of these things or laying people off. I mean that's a much different conversation. Be curious to see whether people in law enforcement federal regulators etcetera might take sort of a case by case approach to actually enforcing that sort of thing. I'm trying to figure out where all of this goes. As we maybe move to a post pandemic world Obviously people are gonna still do lots of stuff online. And that's not something. That's going away. But i wonder if you think we are going to keep seeing this increase in ransomware attacks or if this is maybe a bit of a bubble wrought by the pandemic. I think it's probably safe to assume that it will continue increasing. You will still have these criminal groups that make tens of millions of dollars per year doing this stuff who will continue to innovate continue to look for new ways to go after businesses. Continue to do that. Research and development that we mentioned earlier so. I think it's safe to say that. None of that's going to stop

