Ransomware is a form of malicious software that encrypts files on a device or network, preventing access. Attackers then demand ransom payment in cryptocurrency to provide the decryption key. Ransomware attacks overall are rising, but schools have become a major target. Recently, ransomware attacks on schools jumped from 68 in 2019 to 116 in 2020. Some districts choose to pay the ransom to restore access quickly, while others refuse on ethical or practical grounds. This raises the key question – should schools pay ransomware demands?
Financial Impact
The financial impact of ransomware attacks on schools can be significant. According to Report Discloses Cost, Statistics on School Ransomware Attacks, ransom demands ranged from $100,000 to $40 million. The average downtime caused by attacks was 4 days, with recovery taking around 1 month on average.
Many schools find themselves under-resourced when it comes to cybersecurity. As a result, the costs of recovery from an attack, such as network restoration and data recovery, can exceed the ransom demand itself. However, paying the ransom also comes with risks, as there is no guarantee the data will be returned intact. Schools must weigh the guaranteed cost of recovery against the uncertainty of paying ransom.
Ethical Considerations
Paying ransomware ransoms raises ethical concerns, as it could encourage further criminal attacks. As one expert argues, “Paying a ransom may also be viewed as unethical, as it may encourage attackers to continue their criminal activities and undermine cybersecurity efforts” (The Ethical Dilemma of Ransomware Payment). On the other hand, refusing to pay could result in significant disruption to students’ education if critical data and systems remain locked. Schools must weigh these competing ethical obligations. While paying ransoms risks enabling criminals, losing access to essential information technology resources makes it difficult for schools to fulfil their educational mission.
Legal Issues
There are some legal concerns regarding paying ransomware with public funds from schools. According to a congressional report, victims who pay ransoms using public funds could face criminal or civil penalties in some cases. Public officials have a fiduciary duty to spend taxpayer dollars responsibly. Paying ransoms could be seen as misusing public funds.
Schools also face potential liability issues if they pay the ransom. Paying ransoms encourages more attacks and makes schools a target. This exposes them to further extortion and data breaches. There are also concerns that paying ransoms contradicts laws prohibiting supporting criminal activity. Overall, the legal issues make paying ransoms with public school funds very problematic.
Prevention Strategies
There are several key strategies schools can implement to prevent ransomware attacks and minimize damage if an attack does occur. Employee training is crucial, as many ransomware infections start with a user clicking a malicious link or downloading an infected file. Schools should implement mandatory cybersecurity training to teach employees how to identify phishing emails and suspicious attachments or downloads. Strong backup systems can also limit damage from ransomware by allowing data restoration without paying the ransom. Schools should maintain regular backups stored offline and test backup systems periodically. Finally, strategic investments in cybersecurity tools and services can strengthen defenses against malware and unauthorized access. Deploying antivirus software, firewalls, threat detection systems, and access controls are important technical measures schools can take. According to Cisco, “The most effective defense against ransomware involves deploying and properly configuring firewalls, intrusion detection and prevention systems (IDPS), endpoint security solutions, security information and event management (SIEM) solutions, and web and email security gateways.”
Sources:
https://blogs.cisco.com/education/ransomware-the-cost-to-k-12-schools-and-how-to-prevent-it
https://www.upguard.com/blog/how-colleges-and-universities-can-prevent-ransomware-attacks
Response Plans
Having an effective incident response plan in place is crucial for schools to be prepared in the event of a ransomware attack. According to the Center for Democracy and Technology, schools should have a ransomware response protocol that clearly assigns roles and responsibilities. The protocol should identify who will lead response efforts, make decisions, communicate with stakeholders, restore data, etc. Deciding under what circumstances to pay the ransom is also an important consideration when creating the response plan.
The U.S. Department of Education advises against paying ransoms, as it can encourage future attacks. However, the response plan should outline when payment may be considered, such as if essential services are disrupted or sensitive data is threatened. Any payment decision should involve multiple stakeholders and legal consultation. Overall, having a detailed incident response plan can help schools react quickly and effectively if impacted by ransomware.
Examples
School districts across the United States have increasingly become targets of ransomware attacks in recent years. According to EdWeek, ransomware attacks on K-12 schools in the U.S. more than doubled from 2021 to 2022.
In 2021, the Broward County Public Schools system in Florida paid $40,000 in ransom after a ransomware attack. The district’s systems were down for over a week, greatly disrupting school operations. Other major school districts like Baltimore County Public Schools refused to pay ransoms, leading to prolonged recovery efforts.
The Lake Washington School District in Washington state paid $50,000 in Bitcoin after a 2020 ransomware attack encrypted all their files and data. Paying the ransom allowed the district to regain access within a few days. Still, the overall recovery took months.
These examples show how ransomware attacks can significantly disrupt schools, regardless of whether ransoms are paid. Quick payment may restore access faster but rewards criminals and doesn’t prevent future attacks. Refusing to pay leads to longer disruptions but avoids funding cybercrime.
Expert Opinions
Cybersecurity experts have weighed in with various perspectives on whether schools should pay ransoms to criminal hackers. According to Brett Callow, a threat analyst at Emsisoft, “Paying ransoms should be an absolute last resort” (source). Callow recommends schools focus on prevention, but understands “there may be cases where payment is the only viable option.”
John Riggi, senior cybersecurity advisor for the American Hospital Association, said paying ransoms is “like putting a Band-Aid on a gunshot wound – you’ve stopped the bleeding, but haven’t fixed the underlying injury” (source). Riggi advises against payment, believing it further enables criminal networks.
Tony Anscombe, chief security evangelist at ESET, argues that “paying ransoms feeds the cybercrime beast, encouraging more ransomware gangs to get in on the act.” Instead, he recommends focusing budgets on “robust cybersecurity and comprehensive backup protocols” (source).
Alternatives to Paying
Instead of immediately paying the ransom, organizations can explore alternatives to avoid financing criminal operations. According to Ransomware: Is There an Alternative to Paying the Ransom?, organizations have a few options:
One option is trying to negotiate with the attackers. Organizations could offer to pay a smaller ransom amount in the hopes attackers agree. This can potentially reduce costs, but still involves direct payment. Negotiating also gives legitimacy to the criminals.
Another alternative is seeking decryption tools to unlock files. In some cases, decryption keys are available for free through law enforcement or security researchers. However, this is not guaranteed. The specific ransomware strain would need to be identified first.
Overall, alternatives like negotiating or finding decryption tools are not foolproof. Paying the ransom is often still the quickest path to restoring business operations. But exploring options can help avoid immediately financing criminals.
Conclusion
When it comes to ransomware attacks on schools, we’ve learned there are no easy answers on whether schools should pay the ransom. Paying the ransom often seems like the quickest path to restoring systems and data, but it also encourages further attacks and diverts funds from education. The financial impact of such attacks can be substantial, with the average ransom in the hundreds of thousands of dollars. There are ethical considerations around rewarding criminal behavior as well as legal issues if federal funds are used for payment. Prevention strategies like cybersecurity training and offline backups are critical, as is having an incident response plan in place. While examples exist of schools successfully negotiating with attackers, experts disagree on best practices. Alternatives like rebuilding systems or relying on backups have challenges too. In the end, each school’s decision depends on its unique circumstances.
The key is being prepared with both cybersecurity measures and response protocols. By understanding the complex considerations around paying ransoms, schools can make more informed decisions in these difficult situations. There are no perfect solutions, but forethought, precaution, and education provide schools the best chance of effectively responding to ransomware attacks.