The Local Government and Education sectors have embraced rapid technological advancements, driven by connectivity and AI, with a 2024 budget of $138.9 billion. This surge aims to improve service delivery but also increases cybersecurity risks. Recognizing these threats, the U.S. government designated the education sector as critical infrastructure and established the Education Facilities Subsector Government Coordinating Council (GCC). The GCC enhances cybersecurity by promoting collaboration among federal, state, and local agencies. This advisory outlines the significance of safeguarding sensitive data, the impact of ransomware, and essential strategies for protecting local government and education institutions against cyber threats.
Accelerating Technology Adoption in SLED
Increased inter-connectivity and Artificial Intelligence (AI) propels technological advancements within the State, Local Government, and Education (SLED) sector. According to statistics, the education sector is poised to lead this technological surge, aiming to enhance competitiveness in delivering services to students. Significant allocations have been made for technology spending, with a total budget of $138.9 billion across SLED for 2024. IT services account for $59 billion within this budget, while software products represent $13 billion. Forecasts indicate a notable increase in these figures by 2025, with IT services expected to rise to $61 billion and software products to $14 billion, reflecting the sector’s commitment to continuous innovation and advancement.
However, these new technologies, automation processes, and interconnected systems are giving rise to fresh challenges and risks. Within local government and education institutions, there’s a growing dependence on technology for essential functions, including the storage of sensitive data such as financial records, student information, and research findings. This heavy reliance expands the potential attack surface, providing cybercriminals with greater opportunities for exploitation.
Designation of Education as Critical Infrastructure
In recognition of the growing cyber threats facing educational institutions, the U.S. government has officially designated the education sector as critical infrastructure. This designation underscores the importance of protecting the sensitive data and technological systems used in schools. In response, the Department of Education, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), has established the Education Facilities Subsector Government Coordinating Council (GCC). This council aims to enhance cybersecurity resilience across K-12 schools by fostering collaboration between federal, state, and local agencies. Through information sharing and strategic defense measures, the GCC seeks to safeguard educational environments against cyber threats, ensuring the security of student and institutional data. However, this move also implies that schools may encounter increased oversight, regulation, and reporting requirements.
The sensitivity of information held by educational institutions is often underestimated, yet it encompasses a wealth of records that could be exploited in detrimental ways. These records may include details on students with health issues, specific ethnic backgrounds, drug usage reports, and disciplinary records. If such information were to become public, the potential harm to these students could be irreparable.
Impact of Ransomware on Local Government and Education
In 2023 Ransomware groups have achieved an unprecedented milestone by extracting over $1 billion in cryptocurrency payments from their victims. Additionally, over the past two years, more than a hundred educational institutions have fallen victim to ransomware attacks perpetrated by various criminal groups, and the cost of recovery is estimated at $1.8 million USD. In secondary schools, according to the latest Emisoft report, the number of affected institutions has nearly doubled compared to two years ago, totaling 108.
Pysa Ransomware Group
Pysa ransomware emerged as a significant threat in 2023, primarily targeting educational institutions and local government organizations in the U.S. Originally known as Mespinoza, the group began operations in late 2018, producing .locked files. However, in December 2019, they rebranded to Pysa ransomware, changing the file extension to .pysa.
Notably, at least three variants of this ransomware have been detected to date, all characterized by the use of Living-off-the-Land (LotL) techniques with PowerShell, Python, and Bash scripts. Like most ransomware groups, this gang employs phishing as an initial attack vector, along with frequent usage of infostealers and the exploitation of misconfigured and exposed RDP access.
Notable Recent Ransomware Incidents
In 2023, several high-profile attacks targeted educational infrastructure, leaving a significant impact. Among the notable incidents were the following:
- Clark County School District, Nevada (September 2023):
- Over 200,000 students were affected, resulting in the compromise of profiles and sensitive information.
- Los Angeles Unified School District (LAUSD) (October 2023):
- More than 2,000 student records were exposed on the dark web, including COVID-19 certificates.
- Anoka-Hennepin Public Schools, Minnesota (May 2023):
- Sensitive data, particularly related to allegations of sexual violence, was unlawfully disclosed.
- The ransom demanded amounted to a staggering $1 million USD.
More than 670,000 students were affected in the last year and the tendency is on the rise. These incidents underscore the pressing need for enhanced cybersecurity measures within the education sector to safeguard student data and maintain trust in educational institutions.
Education Sector Vulnerability & Recovery Time
The Education sector stands as one of the most vulnerable to the impacts of ransomware attacks, experiencing recovery times slower than in previous years. The increasing complexity of these attacks has posed significant challenges in maintaining operational continuity.