Threat Actors Target Remote Learning During COVID-19

Ransomware and DDoS attacks against schools have skyrocketed. What’s the best defense?

You student on mobile device, with hacker code overlaying the image

By Mike Wetherbee and Carol Hildebrand

We already know that cyber criminals have seized on the global COVID-19 pandemic as a sterling business opportunity. They have launched record-breaking numbers of DDoS attacks over the course of 2020, targeting lynchpin services such as financial services, Internet Service Providers (ISPs), communications service providers, and healthcare organizations with targeted DDoS extortion campaigns.

Now it appears that schools are also disproportionately under attack.

A recent alert from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned of numerous reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors using ransomware, DDoS attacks, and video conference disruptions.

Remote learning is a vital lifeline to pandemic education, making it a clear target for malicious threat actors. Indeed, according to MS-ISAC data, ransomware attacks on K-12 schools spiked as the 2020 school year began. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared with 28% of all reported ransomware incidents from January through July. The alert noted that “adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.”

DDoS attacks against K-12 educational systems also rose, including third-party services that support distance learning. A DDoS attack occurs when cybercriminals or students overwhelm a network with hundreds of thousands of unnecessary requests or with traffic from a multitude and variety of sources, preventing legitimate application requests from being fulfilled and rendering the network, its services, and its applications unavailable.

A six-month review of worldwide education networks for DDoS activity by the NETSCOUT ATLAS Security Engineering and Response Team (ASERT) showed an increase of 25 percent this year over 2019—so far. Additionally, findings from the NETSCOUT Threat Intelligence Report 1H 2020 saw attacks against educational services grow 13 percent across the United States.

Worldwide Education Six Month Review 2020 vs 2019

Click to Enlarge Image

Defending Education

For educational institutions, defending against DDoS and ransomware attacks is usually a mix of solutions or layers of protection, from the implementation of good network practices to the employment of third-party purpose-built mitigation software and hardware. These decisions are typically driven by budgets: some options are budget-friendly, while others can be costly.

In particular, the CISA alert recommended the following best practices for mitigation: 

Ransomware attacks

  • The FBI and CISA do not recommend paying ransoms.
  • Report ransomware incidents to your local FBI field office.
  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

DDoS attacks

  • Consider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network.
  • Create a partnership with your local ISP prior to an event and work with them to control network traffic attacking your network during an event.
  • Configure network firewalls to block unauthorized IP addresses and disable port forwarding. Note: NETSCOUT, and even firewall vendors, caution against the use of firewalls for DDoS protection and instead recommend dedicated DDoS protection in front of firewalls for proper defense. 

Federal funding programs such as the Federal Communications Commission’s E-Rate program and the Coronavirus Aid, Relief, and Economic Security (CARES) Act designed to assist with COVID-19 preparations and beyond rightly focus on connectivity to ensure that every student or teacher has access to educational resources via broadband or Wi-Fi. Unfortunately, the requirements in these two programs do not spell out whether the funds can be used to secure DDoS mitigation options or the network availability that provides the pathway for remote learning. Finding the funds to protect the availability of these resources falls to the IT managers.

Area Of Need To Support Distance Learning

Click to Enlarge Image

We see four reasons to expect heightened DDoS and ransomware attacks on our schools for the foreseeable future:

  • Ease of access due to the connectivity mission of schools, combined with the additional network traffic and expanded threat surface from students learning at home
  • The potential cache of valuable information that can be attained from the systems universities and schools are required to run
  • The lure of the variety and volume of devices connected to these networks that can be employed for nefarious activities
  • The low bar to entry that makes it easy to launch a DDoS attack via do-it-yourself DDoS attack tools and DDoS-for-hire services

Understanding this should be the motivation behind analyzing what your institution currently has in place to stop potential attacks, what you need to protect, and what you may be missing. The most important factor is to analyze whether you have the expertise in house to implement an effective strategy, or whether looking for outside help is a better defense.

Learn how one university mitigates DDoS attacks

Read the paper How to Analyze and Reduce the Risk of DDoS Attacks

Learn more about Arbor DDoS attack protection