NewsLocal NewsInvestigations


FBI issued warning of uptick in ransomware attacks targeting schools

FBI seal.PNG
Posted at 6:36 PM, Mar 23, 2021
and last updated 2021-03-23 19:37:15-04

KANSAS CITY, Mo. — A cyber attack on computer systems used by the Park Hill school district comes just a week after the FBI issued a warning about an increase in ransomware attacks targeting schools.

Because the Park Hill incident is still under investigation, the exact nature of the malware involved has not been released, so it is not known if ransomware was used in this instance.

However, on March 16, the FBI's Cyber Division did warn of an uptick in the use of PYSA ransomware to target education institutions in 12 states and the United Kingdom.

According to the FBI, PYSA, which is also known as Mespinoza, can enter a computer system and encrypt its files. Then, the ransomware demands payment for the user to regain access to their data.

"If the ransom is not met, the actors warn that the information will be uploaded and monetized on the darknet," the FBI bulletin says.

Michael Tabman, a retired FBI Special Agent in Charge, attributes the recent rise in this malware to the money bad actors stand to gain.

"We're seeing an increase in ransomware because over the last four to six years, over $140 million in ransomware has been paid, so it's becoming a profitable criminal activity," Tabman said.

He added that the people behind the attacks are fairly savvy, but they can be found.

"There's always an electronic footprint, and even when using the dark web, the FBI has been able to track people, and you've seen some major arrests for this type of malware extortion," Tabman said.

What School Districts are Doing

The 41 Action News Investigative Team reached out to 10 local school districts to learn if they were aware of the uptick in attacks and to find out what steps are being taken to prevent them.

The KCPS, Liberty and Shawnee Mission school districts confirmed they had been informed of the recent increase in ransomware threats.

Both the Park Hill and Lee's Summit school districts said that in general, their staff members have stayed up to date on the latest cybersecurity threats.

KCPS said it receives information about threats through K12Six, a nonprofit threat intelligence-sharing group for school IT and security teams, as well as the Center for Internet Security and Multi-State Information Sharing and Analysis Center (MS-ISAC).

A spokesperson for the district explained their cybersecurity framework includes awareness training as well as various protective measures, like firewalls and filters.

KCPS spends $500,000 annually on cybersecurity as part of its five-year technology plan.

Liberty Public Schools also receives information about threats from various sources, including the Missouri Research and Education Network (MOREnet), and the district focuses on training as well as technology solutions to stop attacks from occurring.

Meanwhile, in an interview on Monday, Park Hill explained some of the protective measures it has in place.

"We have advanced firewalls in place, anti-virus, anti-malware, intrusion prevention systems, the list goes on," Director of Technology Derrick Unruh said, "Those systems have been implemented for some time. We continued to implement new systems as we identify threats."

How to Stop Ransomware Attacks

While IT professionals play a large part in protecting businesses from ransomware, there are some individual steps you can take to ensure you do not fall victim.

One of the most common ways malware ends up on a computer is through a phishing email. These emails may look like they're coming from a legitimate company or person, but it's actually a scammer impersonating a real entity.

The FTC says the messages may:

  • Say that they've noticed some suspicious activity or log-in attempts
  • Claim there's a problem with an account or payment information
  • Say you must confirm personal information
  • Include a fake invoice
  • Want you to click on a link to make a payment
  • Say you're eligible to register for a government refund
  • Offer a coupon for free stuff

In addition, Tabman said a phishing message may include a link that claims to lead to a video of you.

In its warning, the FBI also posted a list of domains specifically associated with ransomware attacks.

The first and most important step is to not click on any links or attachments, which could download malware onto your computer.

If a ransomware message does pop up on your screen, try to click out of the message.

The FBI does not encourage victims to pay ransom, as payment does not guarantee files will be recovered.

Tabman explained paying can also embolden the hackers to target more people.

"If we all stood firm ... it would be almost like reaching herd immunity. They'd have nowhere else to go. There's so few people willing to pay, it's no longer profitable," he said.

Tabman recommended frequently backing up important data on an external hard drive. Be sure to back up that information while offline, and unplug the hard drive or thumb drive once the data is downloaded.

The FBI encourages you to report ransomware incidents to your local FBI field office or to the FBI's Internet Crime Complaint Center (IC3).