In the summer of 2019, school Superintendent Devin Embray learned the Glenwood District in Mills County, Iowa, was being held hostage by foreign ransomware attackers.
The hackers encrypted student data that included schedules, contact information and demographic information, making it inaccessible to the school’s administrators, Embray said. They demanded $130,000 worth of cryptocurrency from the school district to unlock the data.
Glenwood paid $10,000 in ransom.
“There was really nothing we could do on our end,” Embray said.
The 2019 Glenwood attack was one of the first known examples of a surge in ransomware attacks on Iowa schools. While Glenwood chose to publicly acknowledge it, many schools targeted by cybercriminals do not.
Most ransomware attacks go unreported and communities are left in the dark about what may have happened to their private information and their taxpayer dollars.
People are also reading…
When the Davenport School District was targeted in September, school officials said they thought they were dealing with computer-server glitches as the district’s internet, phone and email systems experienced disruptions.
Later in the month, signs of a cyber invasion became more evident, but the district declared it had “thwarted” an attack.
A data-extortion group known as “Karakurt” has since claimed to have stolen huge amounts of personal data from the Davenport district. Though the attack first was detected in early September, state officials were not notified of the breach until the end of October.
In early November, a district spokesman first acknowledged the hackers had demanded a ransom, but the district did not pay.
Schools advised how to handle attacks
Increased ransomware attacks bring steep insurance costs, rigorous requirements to qualify for insurance and, in some cases, disruptions in students’ education.
Aaron Warner, CEO of ProCircular, a cybersecurity firm in Coralville, said hackers usually demand between $2 million and $10 million in ransom from larger school districts.
“I would say that every school is attacked in one way or another every single day,” said David Fringer, the executive director of information technology at Green Hills Area Education Association.
Larger schools are appealing targets, Fringer said, because they have more money than smaller districts, though the smaller ones are easier to attack. He said ransomware groups demand lower amounts from smaller schools, but attack more of them to collect an amount equivalent to what could be collected from one larger school.
Recent ransomware attacks on Iowa schools include those in 2022 that hit the Davenport, Cedar Rapids, and Linn-Mar districts. Unlike Glenwood, these schools did not voluntarily disclose details of their ransomware attacks, including how much ransom was paid, to prevent sensitive information from being leaked.
The Linn-Mar school district initially described its ransomware attack in late July of 2022 as “technical difficulties” within the school’s servers. However, a leaked image of one district computer revealed that the school’s files had been encrypted by a ransomware group known as Vice Society, which wrote on its website that it would release the school’s important documents, photos and databases to the dark web.
A Linn-Mar employee, who spoke for this story with a promise of anonymity in order to protect the person’s job, said the school’s administration continued to refer to the attack as a “computer issue” after the leaked image circulated in various news organizations.
The employee said Linn-Mar did not notify faculty that their personal data was impacted until months later, on Oct.10, 2022.
The employee provided for this story images of an email sent from the superintendent to staff on Oct. 10. It said an extensive investigation into the July event indicated that employee data may have been impacted, but student data was not. The email said that anyone whose data was affected was to receive a letter with additional information about the event and an offer for free credit monitoring.
Linn-Mar’s failure to publicly acknowledge their ransomware attack is consistent with the responses of other targeted school districts. The Cedar Rapids Community School District informed parents that a ransom was paid but has not disclosed the amount. The ransomware attack on the Davenport Community School District was made public by the criminal group known as Karakurt in a post on the dark web where it threatened to release students’ personal information online.
Fringer said schools are advised to handle ransomware attacks privately to prevent further targeting by cybercriminals.
“It is the belief of the FBI and the Department of Homeland Security that once the who and the how get out about cyber incidents, it encourages other attacks,” he said. Others, however, argue that the schools’ secretive handling of the attacks fuels skepticism.
Randy Evans, executive director of the Iowa Freedom of Information Council, a nonprofit that advocates for open government, is calling for schools to disclose ransomware attacks and payment amounts.
“Government entities belong to the public and not to government officials,” Evans said, referring to the Cedar Rapids district attack. “The owners of the Cedar Rapids school district ought to know: Did they pay a ransom, how much did they pay, what assurances they have that the problem is resolved?”
According to Iowa law, schools are required to notify the Attorney General’s Consumer Protection Division of a security breach affecting at least 500 Iowa residents within five business days after notifying the affected people. However, delays in notifying the affected people are permitted if the notification would interfere with a law enforcement agency’s criminal investigation.
Evans said Iowa’s Open Records Law allows public records dealing with cybersecurity to be kept confidential. But he said he is concerned that the public does not understand the magnitude of the problem and noted that the Cedar Rapids and Davenport school districts are Iowa’s second and fourth largest school districts.
“If any of these institutions had the resources, it’d be the largest ones. Those small school districts, they’re the ones that are really sort of out there on their own,” Evans said.
Glenwood’s Embray said he tries to be transparent as much as possible. “We exist for our community; our community doesn’t exist for us, so if we need to shore up things, we own that,” he said.
‘Nothing more important’ than kids
ProCircular’s Warner said attacks on K-12 institutions accounted for most of the ransomware cases his firm handled in the last six months.
“They’re targeted primarily because of their sensitivity to downtime,” he said. “There are a lot of very time-specific pressures in the education world that maybe don’t exist in other industries.”
He said the involvement of children can make districts more willing to pay a ransom. Ransomware groups often publicize who their victims are to encourage parents to pressure schools.
“When a bad guy holds a school hostage, the stakes go up because there’s nothing more important to people than their kids,” he said.
Warner said one of the best ways schools can mitigate potential ransomware losses is by buying cybersecurity insurance.
The Glenwood district purchased cybersecurity insurance two years before it was attacked — when a school board member who worked in the banking industry recommended it.
The ransomware attack on Glenwood came through an open port left by a previously employed technology director to work from home.
Embray said the school’s insurance provider worked with a cybersecurity firm in England and the FBI to investigate the attack while negotiating the $10,000 ransom.
Warner said cyber protection insurance costs depend on several factors, such as a school security system’s maturity and the number of cybersecurity incidents that previously have occurred.
But costs are rising. “Cyber insurance has doubled and tripled in cost so much over the last five years,” Warner said.
Fringer said annual cyber insurance costs for the Green Hills AEA was $23,000, but that would be on the lower end. because the AEA doesn’t serve students directly.
Yearly costs for the Council Bluffs school system three years ago until June 2020 went from nearly $15,000 to $30,000, then as high as $50,000 over a few years, he said. The district had 9,500 students and 1,200 staff.
Davenport has about 15,000 students and 2,500 employees.
Fringer advises 45 school districts in southwest Iowa and connects them to recommended insurance vendors. While larger schools are more likely to have IT departments, he said, many smaller districts are led by a technology director without formal training. This often means smaller school districts have a more difficult time meeting insurance requirements.
“The biggest challenge is protecting small school districts with less expertise and less resources,” Fringer said.
Insurance companies also have increased the number of security requirements, such as multi-factor authentication for faculty and students, for schools to qualify for cybersecurity insurance policies.
Warner said, “Insurance policies have gone from a one-page question questionnaire to a 35-page audit, and schools often need assistance to get through that to even get insurance.”
When schools are held hostage by ransomware attackers, insurance companies typically negotiate with cybercriminals on behalf of the victims. Warner said hackers often demand two separate payments from their victims; the first to decrypt the stolen information and the second to ensure it won’t be leaked.
Larger hacking groups often have their own negotiation departments, Warner said. He provided a redacted transcript from a 2020 ransomware negotiation with a hacker group called Snatch in which the ransom amount was negotiated from $500,000 to $100,000.
A few precautions exist for schools. In addition to insurance, both Warner and Fringer emphasized the importance of training school faculty. Fringer said the Iowa Office of the Chief Information Officer has been a great resource for schools he works with but that demand for training is too high for the office to keep up.
“They have some great programs and training, but they are also understaffed and underfunded,” he said. “Sometimes if you ask them for help, they schedule you 12-to-18 months out.”
Fringer said Iowa’s nine area education agencies can help schools identify threats and that, in his experience, they usually can respond to schools’ questions within a day. He also said schools can use a federal E-Rate program to purchase discounted network hardware, such as firewalls, that act as barriers between a private network and the public Internet.
Despite these measures, Fringer said, being the victim of a ransomware attack can be unavoidable.
“You can drive really, really carefully, but if someone hits you, it’s still an accident. The same thing is true in the cyber world,” he said. “You can be really, really safe and then somebody hits you.”
Vivien Guo and Makenna Mumm contributed to this story, which was produced as part of a University of Iowa School of Journalism and Mass Communications reporting project. Olivia Allen of the Quad-City Times also contributed.