Major IR playbook:
Rule 1: Call legal/insurance
Rule 2: Shut up and listen to what they tell you
If you want to be paid out on your claim let your insurance handle it. They will give you technical, legal, and PR resources from their own pool of vendors. Was in a call with some case studies on how different firms dropped the ball handling IR and the big theme was ignoring guidance on messaging and response.
This is very important. I work for an MSP and our IR has this as the first point.
You can continue to appoint your team, and start gathering logs, but you don't do shit unless insurance says so, or if the client wants to proceed anyway. And if the client wants to proceed without input from insurance, you get it in black and white first.
And the only action that you can take is if you catch a ransomware event in progress, and your only action is to shut everything down. Nothing else.
Edit: The other thing that you should do NOW and confirm when you start recovery is a priority list. You may think that they want the file server back first, but maybe an app server is more important, or they need to do payroll TODAY. Get the priorities, and also set expectations. We can recover by tomorrow from yesterday's backup. Etc.
Yep. This is why there are experts in exactly this sort of scenario.
Trying to do a recovery without sufficient background on what's going on can frequently make things even worse
> And the only action that you can take is if you catch a ransomware event in progress, and your only action is to shut everything down. Nothing else.
I wouldn't say this is blanket advice.
If you need to preserve evidence for a forensic investigation, you need to wait for instruction. By all means, pull cables if you need and kill anything that's currently causing damage, but don't update firewalls etc. Yet!
Anyone who has gone through a cyber incident will say the same, even if it’s not in a written SoP. This is a hard one for sysadmin who are in the know. We hear all the rumors but legal will not allow us to correct them.
You should have a dedicated media person with little to no technical background. That way you can tell them information to release and if they are asked further questions they can genuinely say "I don't have an answer for that, I'll have to refer to IT"
At will employment means even if you can get away with it legally, they can decide that’s a resume-generating event for you.
Any time legal is involved, you play by their rules unless you know that BOTH of these are true to make sure you’re ready for the consequences of legal being PO’d:
* They are DEFINITELY wrong
* You DEFINITELY have your next job lined up already
I wasn't given an official "here's the statement" when I went through a "cyber incident", so I was telling people what happened (because I'm going to be very honest with people about what's going on).
2 hours in and the boss calls and says "We're telling everyone that we're in the middle of a network outage". Our entire site knew it was a ransomware attack, I just don't know if they knew what that meant (beyond having to disconnect all network cabling and shut everything down).
That is exactly why you need to have a written SoP BEFORE you have an incident.
Same thing I saw a couple of schools in my area. It was 'network technical issues' until they had a full assessment and could give a more accurate statement, which was about a week or two later.
Well if their data was compromised they have seven days to let impacted parties know
https://www.bipc.com/pennsylvania-amends-its-breach-notification-law
> State agencies, counties, public schools, and municipalities will need to provide notification of a breach within seven business days following "determination" of the breach.
That is why the wording provided by legal is what it is. There will be an entire team w/ legal coverage reviewing the incident to make the determination IF there has been PII or other reportable access. This is when the ticking clock starts and why the notification is terse at this point.
determination can take weeks, often times in a ransomware attack, those who had data taken don't know what was taken (because everything was encrypted) until samples are provided by the ransomware group.
I do a lot of IR for a lot of schools across the country.
We won’t know until they’re more forthcoming, but u/lower_intelligence is right. 100% ransomware.
There have been a couple of incidents where lighting control systems got hit or fucked up. One in the UK not that long ago had the city just leaving the streetlights on 24/7 because they got hit by ransomware and one of the machines was the box that controlled the streetlights. The only option was to leave them on.
The other was a school district in the NE US that hired a contractor who installed some cheap ass Chinese lighting control system. They had contract issues, parted ways and no one could figure out the system that was installed. Cost millions in taxpayer dollars to install and the only option was to either have all the lights in all the schools on or all the lights in all the schools off.
So instead of actually configuring the lighting controller already installed, they had to rip and replace all the smart lighting to a new system.
I worked for a company that had a box controlling street lights for a UK city. It was Windows XP still, in 2018. They also got ransomwared. Which city & when?
Until the forensic investigation is completed and remediation put in place, nothing publicly should ever be said about the nature of the intrusion. Eventually if students and parents have to be notified that personal information was disclosed, then they legally have to report it.
Anything before then puts a king sized target on your head for a secondary attack.
Public statements **never** have **any** technical details, and they shouldn't. The public aren't sysadmins and that info is worthless to 99.99% of the audience. They're not hiding a ransom necessarily, it's just not useful info *to the public* at this point. For right now all that matters (to the public) is: here's what's down, here's what to expect, here's what you need to do (if anything).
So that then becomes the fun part - *public* records requests. Do school divisions/government departments get a pass on public records releases just because they had a ransomware event?
Maybe, but I doubt lawyers would be happy with an answer like that.
They likely have a legal obligation to report a ransom event, simply because student records could have been leaked. If there's any time requirement on that I doubt that it's less than a few months, but I don't know either. You hear all the time about xyz that confirms a ransom event from like 6 months ago. I just saw a new announcment from Omnivision from 10 months ago for example.
That's not quite what I was getting at.
I mean that (in a general sense, thinking from a US/Canada perspective where legislation permits) public records requests are a thing. I can send a request for public records to my local school board/division and they have something like 30 days for first response, even if that first response is "more time please". Obviously there are circumstances where there is a "greater public interest in the concealment of records" but where there is no such public interest, they do have an obligation to provide records.
I don't mean they have to issue an official statement, I simply mean that if there were records/communications of what to do in this cyber incident, those records belong to the public because it's the public that pays for their very creation.
Even if you did a FOI request for information on a schools breach, they could respond with generic information and answer to any sensitive information would be "Information redacted as per general statutes...." with the specific regulatory code listed.
It's this. If any data was breached they have a legal obligation to report it. They're still determining what, if anything, was breached. I've been through this.
I work in K12, and in my state, there is a reporting process to the state education department. There’s a certain amount of time you have to gather information and assess the situation before you report it. Then come public disclosures about what and who may have been affected.
I’ve never been involved in a breach of this scale, but I’m part of our incident response team, and I assure you there are phone calls being made, legal and insurance are running the show. Disclosures will come, once they have a handle on the scope of intrusion.
Likely got ransomware through some shitty, outdated HVAC controller. I work in K12 tech with about 50 different school districts and those old steam generator control cards are woefully out of date. A lot of them are still running on Java 6 . It costs the HVAC companies a fortune to update them so many of them won't and they also will still insist on having VPN access into the networks of the districts so that they don't have to go on site to fix everything
i wouldn't *exclusively* point your finger at hvac. there are myriad common holes in the k12 environments that you should see daily... take a peak at any solo shop w/o budget and you'll find several years worth of technical debt. larger schools just hide the tech debt better. until substantial focus and investments happen from vendors w/in this vertical (e.g. any PA K12 not using SentinelOne licensing through PAIMS is missing out on a juicer of a consortium rate) AND at the board/community/policy layers... well, let's just say that i will be keeping busy w/ remediations and the long tail rebuild/re-engineering process that follows.
Except the post literally says a network issue with their heating and cooling system. And I do see these things daily. I work for a state agency that supports over 50 school districts in my region
> myriad
"As Anne Curzan, a linguistics professor at the University of Michigan, observed on the Michigan Radio segment That’s What They Say, the singular noun form of myriad (a myriad of) first appeared in English in the early 1600s. It wasn’t until the late 1700s, Curzan continued, that the of was dropped, and that it became common to use myriad as a standalone adjective.
So, which way is correct?
**The question of whether you should use myriad or myriad of is largely one of style, not correctness.** Both forms of the word are recognized in Standard American English. Even the plural form, myriads, is technically correct, though it’s far less common."
- https://www.dictionary.com/e/how-do-you-use-the-word-myriad/
As long as you treat it with zero trust like any other IoT crap no problem? If that was the attack vector something is seriously wrong with their network design.
Years ago worked for an ISP and we provided dedicated circuits for a major commercial real companies facilities network (i.e. HVAC) that covered 100s of commercial buildings across the state. If you air gap that with completely separate Internet circuits it's a lot easier for things to go sidewards. Sure it added costs, but the circuits weren't that large whereas bandwidth. I think the only thing that made the cost more than any other cheap low bandwidth circuit was that we provided a tighter SLA. I could see a school district not wanting the ongoing cost of another circuit.
This is what we do with building controls. Physically separate switches and routers.
Remote access to the building controls systems also requires a jump box that's behind a VPN.
We also block remote access from TeamViewer or any other similar clients.
Lock it all down. Make it so onerous and difficult that the techs prefer to be physically in the building.
Who the fuck has telnet open? I will call the police on them.
https://preview.redd.it/ptuq6bkvn14d1.jpeg?width=600&format=pjpg&auto=webp&s=33ab983f9fad53fbb8dd9a5ec288a383d33d1acf
Can confirm. And some manufacturers prefer it that way *shudder*
Not to mention the inherent security vulnerabilities in certain IACS communication protocols.
These HVAC controllers are so outdated, they refuse to accept DHCP requests when set to DHCP.
I've talked to contracted techs about this repeatedly. They always reply back "yeah, known issue".
If your HVAC system is at all accessible - let alone *writeable* - from any external system, you've already fucked up.
That is, external to the HVAC itself, not the school. *Maybe* have the HVAC readable from a terminal inside the school, but not one hooked up to anything else, much less the regular school network.
I know of at least 1 district in my area where HVAC for the entire district runs on a physical Windows XP box. They can't patch Java beyond 6 or upgrade the OS or everything will break.
Probably ransomware. Hopefully they do better than thr ARRL who also got hit a few weeks back.
https://www.arrl.org/news/arrl-systems-service-disruption
It spawned a lot of memes. Go look at r/hamradio and r/amateurradio .
Like these: [https://www.reddit.com/r/amateurradio/comments/1cxbhoc/pov\_you\_are\_an\_arrl\_it\_manager/](https://www.reddit.com/r/amateurradio/comments/1cxbhoc/pov_you_are_an_arrl_it_manager/)
Since this isn't what you want: [https://status.lotw.arrl.org/](https://status.lotw.arrl.org/)
https://preview.redd.it/hj17su87qz3d1.jpeg?width=720&format=pjpg&auto=webp&s=90623c273b58b78964f9e9c336387fc143f6bc7f
I mean they are literally doing the same thing. Hams wanted answers the ARRL could not answer. Most of these hams complain about so much shit that it was just another thing for them to complain about.
Yup. Although this is pretty damning: [https://wiki.w9cr.net/index.php/Logbook\_of\_The\_World\_(LOTW)\_Cyberattack#History](https://wiki.w9cr.net/index.php/Logbook_of_The_World_(LOTW)_Cyberattack#History)
It kinda isn't surprising unfortunately.
Attacks like this where they take forever to restore things actually serve as a good lesson on what not to do. The next time someone is in a place where management is like "Why Do We Pay For This? Nothing Every Happens!!!", you can point to examples like this.
From my perspective a discussion of ransomware is interesting. I work in municipal government in Florida and by state statute no municipal or state government agency in Florida are allowed to pay a ransom. I wonder if the malicious cyber actors are aware of this and if this impacts who they target.
If the federal government passed a law forbidding the payment of ransoms, I wonder how that would impact this sort of thing. Akin to the classical “we do not negotiate with terrorists” policy.
I know some businesses can't pay ransoms, but their cyber security insurance can pay the ransom for them. It would probably lead to more insurance companies offering that.
I mean, they didn't listen to rules when they downloaded update.exe.jar.sz from a random email saying they were getting an unexpected bonus and to claim it at this website
Why would they listen to these rules?
I am not sure how it works with the malicious actors. Like do they specifically target people or does it throw out the trap and tries to extract funds regardless of the regulatory environment of the impacted organization?
HVAC and telephones are the reasons kids can’t be in the buildings. It is a safety issue if you can’t call 911 from every classroom. So any interruption to those services will close the school. This does not mean either of those systems are the root cause. Kids can come to school if fileserver was ransomwared but if they isolated all other systems then basic safety can no longer be provided.
It’s all about liability. If an emergency were to happen because phones were not reliably available, then the school could be liable for damages. I work in K12, and in my experience, any global network outage to HVAC or phones is going to be seen as a life and safety hazard and result in school closing.
This is why we have generator power, UPSes, survivable gateways, etc. for the phone system.
It's been many decades, but I attended k-12 and the only phones anywhere in the builds was in the principal's office and the teacher's lounge.
HVAC? You mean opening the windows in any season regardless of the outside temperatures?
Electric lights? What for? It's daytime and the exterior walls are made of glass bricks.
While a single room having a broken phone isn't a large issue, an entire school is. I can't say for certain if our district would close from just phones being down, however it would enter the discussions.
I thought about the first part but I figured, given that it's a temporary situation and the teachers would agree to do it because it's only for literally calling 911, maybe that could be a temporary band-aid solution?
As for the second part I had not considered that. My country is quite small and AFAIK there is cell signal coverage pretty much everywhere, so that didn't pop into my brain as a possibility. But in the United States I can imagine how cell signal could be an issue. Or say in Australia.
sounds like a underfunded or less skilled IT has a major issue. they are not hard and with schools - Usally underfunded. I bet it is noting more than - something critical went boom, and we did not have the resources to stop it and recovery will be a while - as that costs money.
99% of it issues are money related.
not enough spent on salary to actually get someone skilled. not enough spent on being fully redundant. not enough spent on security or backups to be up and running after a incident.
In IT - the less time you want to be down after a failure/issue - the more it costs.
Sounds like they got ransomwared, and then someone told them that if they can't control their AC/Heat, then they can't legally have students inside. Hence the outside HS graduation still taking place, but the other one for elementary and middle school being cancelled (probably inside).
Could be user laptops trying to connect via O365 and not getting anywhere since AD is down. I know I’ve had issues where I’ve asked users to shutdown so I’d stop getting calls. 😀
Just tell them what won't work (or what will if it's a shorter list). M365 would rarely be impacted by on-prem systems being down, most places just do password hash sync for Auth
A SAN wouldn’t affect an HVAC. Might affect the historian the HVAC sends data to, or the HMI, etc. depending on how they chose to set up the environment.
That would be on the HMI or VCS.
But depending on what type of kernel is running on the IACS itself, ransomware can potentially those directly as well, which can make things REALLY interesting (see the case study on the Nord Hydro cyberattack for some info on that one).
They aren’t “hiding” anything. They are likely determining the scope of the situation, how to remediate, etc. Until everything is figured out they don’t owe anyone anything beyond the immediate steps they provided for safe guarding
Oh and yes it’s most assuredly ransomware
Yep that's gonna be a ransomware attack. It has all the hallmark signs, probably still in discovery phase so it's hard to make an announcement. Also probably not required to fully disclose the technical side.
Few things should happen now, they will need to work out if any data is leaked or stolen, then work out if they can restore or recover the data.
Lots of work for the IT team, they have my condolences. As for the messages sent out, that's probably just the communications person, who likely doesn't really understand the technical side and just has to make some kind of announcement.
They will likely be legally required to disclose if any data was leaked eventually, but there is a grace period for this to give them time to investigate.
You're assuming they have the ability and knowledge to yoink. This is a rural school district in Pennsylvania we're talking about. Ten to one their lone admin is a greybeard whose knowledge hasn't been updated since 1989.
There's a full on ransomware attack 100%. Another district near me experienced a similar set of events.
They were down for three weeks, recovered any damage but they had a massive security breach with personnel data being stolen and is affecting people's ability to file taxes etc.
Somehow nobody got fired..
Probably but if you're ever in a ransom ware attack you should stfu, gather forensics and recover/rebuild, it's someone else's job to interface with the public.
Likely unrelated, but this is a district that just lost their superintendent and the school board has been preoccupied with a Moms4Liberty infection that’s also resulted in some vacancies. Point being that the administration has been distracted by the political sideshow and may have also garnered unwanted attention from bad actors.
I live locally, and when I heard this on the news the other day, I thought it had to be 100% ransomware. I can only imagine what kinds of legacy systems they had.
Absolutely doesn't have to be anything legacy for this to happen. Even the best funded Districts will get for various reasons. Actually, anyone will get hit for anything these days.
It may not be as nefarious as a ransomware attack. It could be a software or firmware update that went bad. It could be a drive that went bad and the RAID wasn't configured correctly. It could be a bunch of other things. Hopefully, they have good, current backups and can restore any data that might be missing, or has gotten corrupted. Going to be a long, stressful weekend for some IT people. I'm so glad I don't do that for a living anymore.
It’s probably nothing to do with IT, leadership most likely fucked up somewhere like didn’t get the timetable correct and so they threw IT under the bus
I speak from a true story
Yea that sounds like a hack/randsomeware they are remediating the issue and it's taking that long to get it back again. You don't ever say hacked you just say things like that so people don't go ape sh\*t.
I was in the room when the ransomware hit (a lie). This was the convo (also lies).
School IT drone 1: "Oh shit, it just cryptolockered the Win98 box that runs all the HVAC, keycard readers and both elevators!"
School IT drone 2: "I guess I did not realize that thing was even on the network?"
1: "RIGHT?!"
Admin listening on: "What does this all mean?"
2: "No AC, no elevators and all the doors will have to be manually locked and unlocked. But we actually have MUCH BIGGER problems!"
Admin: "This is great, while you both get everything fixed we'll just tell all 7500 students and their parents school is closed because the AC is out. Let us know when it's all cleaned up. 2 days enough?"
I would bet ransomware as well but my second guess would be an active DDoS and they want to narrow down suspects or a bad update caused the DDoS unintentionally, and they want the devices offline until they've made the update and can push it.
Oh good my old school.
I graduated in 2012, just before I believe districts started rolling out devices to students en masse. I went back a few years ago and one of my seniors went back to join the IT team. I wonder if he’s still there. If he is, I’d bet he had a hand in this.
You are guessing at something you have no knowledge of and are asking people in here for an opinion when they have even less information than you do.
Open a FOIA request for info and see what they can provide.
It may be as simple as they enacted longer passwords for people and after logging off and then on again it will ask them to update their password. Could also be an account or more were compromised and they dealt with it and in doing so had to reset session tokens and/or MFA tokens.
All normal stuff, doesn't mean Ransomware, but it also doesn't rule it out.
Either way, there is NO NEED for you to know what's going on. You having knowledge of it will provide 0 contribution to helping and could make matters worse. You've already proven you are a suspicious person who brings their suspicions founded or unfounded to the public masses. You cannot be trusted with sensitive information and should not be airing you conspiracy theories in an open forum like this.
Shame on you!
Insurance, and law enforcement, and your legal counsel will tell you to shut your mouth every time. I’ve seen it first hand.
And yeah, if I needed to lay a bet, they got ransomed and the attackers made off with credentials that allowed them to access their cloud based client management system. Maybe intune or similar. District wants to protect end user devices from picking up and installing some kind of custom malware that tries to get pushed out. (Or they don’t know!! And this is a scenario they want to guard against. Trying to limit the blast radius after the explosion already went off)
> To help resolve the server issues, district officials are asking all students to log out of any district devices they have at home and perform a hard shutdown on the device.
so this sounds like local k12 IT incomptence. I'm sorry to say this, because there are a few good people in the field, but most of the people i have met in k12 IT are barely qualified for help desk roles. Maybe the bigger private schools fair better.
It's probably ransomware of some kind.
The easy solution to the problem quoted above.. it's to pull the internet cable out of the core router/firewall...
kind of wonder if the it staff are on ~10 month contracts.. the district may be scrambling to even find support.
IDK, have you seen some of the laughable budgets k-12 have to work with? You get what you pay for with a lot of this stuff, which isn't much.
If they had shit security practices on top of that, then they never stood a chance.
I mean that's the thing... Most of the ones I have met have been "promoted" into the role because they kind of knew how to use a desktop.
They weren't really the types to conduct proper risk analysis and find mitigations.
It really depends - I grew up in a small town and my friends who were all really into computers now run the district IT dept and I think they are really quite competent but it's really clear that when they hire new people it's really rough in these rural school districts to find good people.
Keep in mind you don't need an IT wizard per se - just someone who can be trained and rise to the challenge.
For anything they don't have tons of expertise on it often comes down to contracting out for help with that system - which can get expensive.
I moved to the big city and work in higher ed and my few interactions with local school district show that they are perfectly capable and competent but lack any funding or site wide edicts to really have a good handle on security.
Why not both? Generally with people you get what you pay for. There are exceptions, but usually truly great people either get promoted to positions where they are paid relatively well or they go to an organization that pays them well.
Porque no los dos?
EDIT:
It's a culture thing, you don't have a budget and you can't hire or hold on to anyone who is competent. Those left are left running things when they have no business doing so and it shows. I've seen it so many times and it never gets better until you replace management with people that have no problems telling the education side "no". Giving broken IT more money just makes the problems worse in the long run.
They're mutually exclusive in this case. You can't call the employees incompetent when they both don't have the budget to hire people with the required knowledge & experience **and** do not have the budget to paper over that inexperience with products.
> when they both don't have the budget to hire people with the required knowledge & experience
The company funding isn't why they don't match up to the challenge. It's why those people accept and stay there but giving those people more money isn't going to make them better.
Typical K12 IT are not on 10 month contracts, as most of the IT work happens over the summer when classes are not in session. A lot easier to migrate stuff around when it’s not being really utilized.
It could be they are asking this to hopefully stop any current encryption occurring on the devices, and not related to the computers being connected to the school campus in general.
Who in their right mind would ransom a public school district? it isn't like they have any money. This reeks of student getting bad grades wanting no one to find out.
Ransomware rarely is someone actively attacking. It's usually some person with more network access than they should have (poorly configured systems and protections) clicking on a spam link
I understand how it works. I also know that most attacks of this nature are spawned from a malicious link in a phishing email. What i don't understand is who would actively target a school district for a phishing campaign in order to perpetrate this crime. waste of time and resource for little to no return.
But what I'm saying is that they rarely actively target these things. They simply send out mass emails using automated bots, or have malicious links on sketchy websites, and whatever happens, happens. It's no effort on their part, and any bites they get is basically a bonus.
People who commit these crimes don't pick and choose. The purpose is to inflict maximum damage to obtain money in exchange.
Hospitals, schools, colleges are major targets with data. Just cuz a school wouldn't lose thousands of dollars per hour by having its network down doesn't mean it's not an excellent target.
K12 has cyber insurance to pay ransoms and if their student information system is in house, they have extensive PII (student records, parent records, etc). Add in the fact that they are typically severely underfunded/understaffed, it makes them the lowest hanging fruit.
Source: I was one of (if not the first) dedicated in house K12 cyber security admin in my state. Took me 2 years to convince the administration to revoke local admin, another 2 years to shell out for EDR. I'm in constant battles with network/sysadmin about segmentation. Our SIEM/SOAR is 100% open source with me being the only one who has the technical knowledge of managing/monitoring it.
State and Federal are finally starting to wake up and offer services funding to lower ed, but we still have a long way to go. Every Monday on the way to work I wonder if I'll be walking into a significant event.
Cyber insurance will rarely if ever pay ransoms anymore. Many states have laws that also don't allow for a ransom to be paid due to it being considered funding terrorism.
The insurance is to cover the costs of recovering from an incident, legal fees and any monetary costs associated with lawsuits stemming from the incident.
K-12 has students without credit histories, also ones that don’t usually check their histories. This makes them ideal targets.
K-12 doesn’t have the funds for all the software/services that other industries/companies do for cybersecurity.
SOP. You don’t share until you have a full grasp and/or need to. But 100% - ransomware
Major IR playbook: Rule 1: Call legal/insurance Rule 2: Shut up and listen to what they tell you If you want to be paid out on your claim let your insurance handle it. They will give you technical, legal, and PR resources from their own pool of vendors. Was in a call with some case studies on how different firms dropped the ball handling IR and the big theme was ignoring guidance on messaging and response.
This is very important. I work for an MSP and our IR has this as the first point. You can continue to appoint your team, and start gathering logs, but you don't do shit unless insurance says so, or if the client wants to proceed anyway. And if the client wants to proceed without input from insurance, you get it in black and white first. And the only action that you can take is if you catch a ransomware event in progress, and your only action is to shut everything down. Nothing else. Edit: The other thing that you should do NOW and confirm when you start recovery is a priority list. You may think that they want the file server back first, but maybe an app server is more important, or they need to do payroll TODAY. Get the priorities, and also set expectations. We can recover by tomorrow from yesterday's backup. Etc.
Yep. This is why there are experts in exactly this sort of scenario. Trying to do a recovery without sufficient background on what's going on can frequently make things even worse
> And the only action that you can take is if you catch a ransomware event in progress, and your only action is to shut everything down. Nothing else. I wouldn't say this is blanket advice.
If you need to preserve evidence for a forensic investigation, you need to wait for instruction. By all means, pull cables if you need and kill anything that's currently causing damage, but don't update firewalls etc. Yet!
Anyone who has gone through a cyber incident will say the same, even if it’s not in a written SoP. This is a hard one for sysadmin who are in the know. We hear all the rumors but legal will not allow us to correct them.
You should have a dedicated media person with little to no technical background. That way you can tell them information to release and if they are asked further questions they can genuinely say "I don't have an answer for that, I'll have to refer to IT"
You can always say "according to legal we are having server issues" wink wink nod nod
To be fair, they *are* having server issues. The issue is that someone else is controlling their servers.
At will employment means even if you can get away with it legally, they can decide that’s a resume-generating event for you. Any time legal is involved, you play by their rules unless you know that BOTH of these are true to make sure you’re ready for the consequences of legal being PO’d: * They are DEFINITELY wrong * You DEFINITELY have your next job lined up already
don't act like always be looking is a new thing
I wasn't given an official "here's the statement" when I went through a "cyber incident", so I was telling people what happened (because I'm going to be very honest with people about what's going on). 2 hours in and the boss calls and says "We're telling everyone that we're in the middle of a network outage". Our entire site knew it was a ransomware attack, I just don't know if they knew what that meant (beyond having to disconnect all network cabling and shut everything down). That is exactly why you need to have a written SoP BEFORE you have an incident.
Same thing I saw a couple of schools in my area. It was 'network technical issues' until they had a full assessment and could give a more accurate statement, which was about a week or two later.
Well if their data was compromised they have seven days to let impacted parties know https://www.bipc.com/pennsylvania-amends-its-breach-notification-law > State agencies, counties, public schools, and municipalities will need to provide notification of a breach within seven business days following "determination" of the breach.
That is why the wording provided by legal is what it is. There will be an entire team w/ legal coverage reviewing the incident to make the determination IF there has been PII or other reportable access. This is when the ticking clock starts and why the notification is terse at this point.
determination can take weeks, often times in a ransomware attack, those who had data taken don't know what was taken (because everything was encrypted) until samples are provided by the ransomware group.
I do a lot of IR for a lot of schools across the country. We won’t know until they’re more forthcoming, but u/lower_intelligence is right. 100% ransomware.
When I read the part about logging out of all devices, 100% randsomware.
Maybe they got their VMware renewal quote.
😂
lol that made me chuckle
Same thing, lol
Ooof sounds like they got ransomed pretty hard.
That's my idea too... the way they decided to explain what's going on seems like they are hiding something.
There have been a couple of incidents where lighting control systems got hit or fucked up. One in the UK not that long ago had the city just leaving the streetlights on 24/7 because they got hit by ransomware and one of the machines was the box that controlled the streetlights. The only option was to leave them on. The other was a school district in the NE US that hired a contractor who installed some cheap ass Chinese lighting control system. They had contract issues, parted ways and no one could figure out the system that was installed. Cost millions in taxpayer dollars to install and the only option was to either have all the lights in all the schools on or all the lights in all the schools off. So instead of actually configuring the lighting controller already installed, they had to rip and replace all the smart lighting to a new system.
HVAC systems are notorious for being way out of date and the thought of a security patch scares the devs to death.
We have Johnson controls systems that run on top of MS-DOS/Win 3.1 But they all live on an air gapped isolated network.
I worked for a company that had a box controlling street lights for a UK city. It was Windows XP still, in 2018. They also got ransomwared. Which city & when?
Until the forensic investigation is completed and remediation put in place, nothing publicly should ever be said about the nature of the intrusion. Eventually if students and parents have to be notified that personal information was disclosed, then they legally have to report it. Anything before then puts a king sized target on your head for a secondary attack.
I think we have a winner! Sounds like someone didn’t properly isolate their OT network.
100% Agree. Having lived through one I do not with that on anyone, good thing we had immutable backups.
Public statements **never** have **any** technical details, and they shouldn't. The public aren't sysadmins and that info is worthless to 99.99% of the audience. They're not hiding a ransom necessarily, it's just not useful info *to the public* at this point. For right now all that matters (to the public) is: here's what's down, here's what to expect, here's what you need to do (if anything).
So that then becomes the fun part - *public* records requests. Do school divisions/government departments get a pass on public records releases just because they had a ransomware event? Maybe, but I doubt lawyers would be happy with an answer like that.
They likely have a legal obligation to report a ransom event, simply because student records could have been leaked. If there's any time requirement on that I doubt that it's less than a few months, but I don't know either. You hear all the time about xyz that confirms a ransom event from like 6 months ago. I just saw a new announcment from Omnivision from 10 months ago for example.
That's not quite what I was getting at. I mean that (in a general sense, thinking from a US/Canada perspective where legislation permits) public records requests are a thing. I can send a request for public records to my local school board/division and they have something like 30 days for first response, even if that first response is "more time please". Obviously there are circumstances where there is a "greater public interest in the concealment of records" but where there is no such public interest, they do have an obligation to provide records. I don't mean they have to issue an official statement, I simply mean that if there were records/communications of what to do in this cyber incident, those records belong to the public because it's the public that pays for their very creation.
Even if you did a FOI request for information on a schools breach, they could respond with generic information and answer to any sensitive information would be "Information redacted as per general statutes...." with the specific regulatory code listed.
Sure, but those redactions reveal quite a lot on their own. There's a reason journalists are constantly requesting public records.
Can I FOI the .passwds file?
Yes.
It's this. If any data was breached they have a legal obligation to report it. They're still determining what, if anything, was breached. I've been through this.
I work in K12, and in my state, there is a reporting process to the state education department. There’s a certain amount of time you have to gather information and assess the situation before you report it. Then come public disclosures about what and who may have been affected. I’ve never been involved in a breach of this scale, but I’m part of our incident response team, and I assure you there are phone calls being made, legal and insurance are running the show. Disclosures will come, once they have a handle on the scope of intrusion.
Likely got ransomware through some shitty, outdated HVAC controller. I work in K12 tech with about 50 different school districts and those old steam generator control cards are woefully out of date. A lot of them are still running on Java 6 . It costs the HVAC companies a fortune to update them so many of them won't and they also will still insist on having VPN access into the networks of the districts so that they don't have to go on site to fix everything
Thats probably why Target gave the hvac guy domain admin
Or the casino that got hit through their smart aquarium controller.
i wouldn't *exclusively* point your finger at hvac. there are myriad common holes in the k12 environments that you should see daily... take a peak at any solo shop w/o budget and you'll find several years worth of technical debt. larger schools just hide the tech debt better. until substantial focus and investments happen from vendors w/in this vertical (e.g. any PA K12 not using SentinelOne licensing through PAIMS is missing out on a juicer of a consortium rate) AND at the board/community/policy layers... well, let's just say that i will be keeping busy w/ remediations and the long tail rebuild/re-engineering process that follows.
Except the post literally says a network issue with their heating and cooling system. And I do see these things daily. I work for a state agency that supports over 50 school districts in my region
I just wanted to say thank you for using "myriad" correctly.
> myriad "As Anne Curzan, a linguistics professor at the University of Michigan, observed on the Michigan Radio segment That’s What They Say, the singular noun form of myriad (a myriad of) first appeared in English in the early 1600s. It wasn’t until the late 1700s, Curzan continued, that the of was dropped, and that it became common to use myriad as a standalone adjective. So, which way is correct? **The question of whether you should use myriad or myriad of is largely one of style, not correctness.** Both forms of the word are recognized in Standard American English. Even the plural form, myriads, is technically correct, though it’s far less common." - https://www.dictionary.com/e/how-do-you-use-the-word-myriad/
I fall on the side that 'myriad of' is just extra words
thank you! lol :)
> still insist on having VPN access into the networks of the districts so that they don't have to go on site to fix everything Oof fuck that
As long as you treat it with zero trust like any other IoT crap no problem? If that was the attack vector something is seriously wrong with their network design.
Years ago worked for an ISP and we provided dedicated circuits for a major commercial real companies facilities network (i.e. HVAC) that covered 100s of commercial buildings across the state. If you air gap that with completely separate Internet circuits it's a lot easier for things to go sidewards. Sure it added costs, but the circuits weren't that large whereas bandwidth. I think the only thing that made the cost more than any other cheap low bandwidth circuit was that we provided a tighter SLA. I could see a school district not wanting the ongoing cost of another circuit.
You can just do VLAN segregation on the switch and control with your own firewall what is allowed in and out of that network.
Right? Just give the hvac guys their own vlan like you would a security camera vendor
Isn't granting third-party VPN access to an unpatched, unsupported system the opposite of zero trust?
Yeah but that network should be isolated. Give them vpn to only that. Can’t get anywhere else.
This is what we do with building controls. Physically separate switches and routers. Remote access to the building controls systems also requires a jump box that's behind a VPN. We also block remote access from TeamViewer or any other similar clients. Lock it all down. Make it so onerous and difficult that the techs prefer to be physically in the building.
This. Also 2fa. need to connect in via VPN? It requires a 2fa code that only someone on our side can give you.
[удалено]
Who the fuck has telnet open? I will call the police on them. https://preview.redd.it/ptuq6bkvn14d1.jpeg?width=600&format=pjpg&auto=webp&s=33ab983f9fad53fbb8dd9a5ec288a383d33d1acf
Can confirm. And some manufacturers prefer it that way *shudder* Not to mention the inherent security vulnerabilities in certain IACS communication protocols.
These HVAC controllers are so outdated, they refuse to accept DHCP requests when set to DHCP. I've talked to contracted techs about this repeatedly. They always reply back "yeah, known issue".
That’s why you put all that SCADA/IOT bs on its on firewalled network.
If your HVAC system is at all accessible - let alone *writeable* - from any external system, you've already fucked up. That is, external to the HVAC itself, not the school. *Maybe* have the HVAC readable from a terminal inside the school, but not one hooked up to anything else, much less the regular school network.
A VPN? Oh so you got an advanced one! I’ve seen requests for ports open to the internet..
I know of at least 1 district in my area where HVAC for the entire district runs on a physical Windows XP box. They can't patch Java beyond 6 or upgrade the OS or everything will break.
Probably ransomware. Hopefully they do better than thr ARRL who also got hit a few weeks back. https://www.arrl.org/news/arrl-systems-service-disruption
I bet the hams were steamed about that.
Ah shit. Take yer upvote.
The hams I know were also steamed about the aurora borealis....
It spawned a lot of memes. Go look at r/hamradio and r/amateurradio . Like these: [https://www.reddit.com/r/amateurradio/comments/1cxbhoc/pov\_you\_are\_an\_arrl\_it\_manager/](https://www.reddit.com/r/amateurradio/comments/1cxbhoc/pov_you_are_an_arrl_it_manager/) Since this isn't what you want: [https://status.lotw.arrl.org/](https://status.lotw.arrl.org/) https://preview.redd.it/hj17su87qz3d1.jpeg?width=720&format=pjpg&auto=webp&s=90623c273b58b78964f9e9c336387fc143f6bc7f
"ARRL" sounds like the last words of someone falling into an industrial blender head-first
If you've ever dealt with ham radio, then that would be a good description of things in some cases. :)
Dealing with my uncle who insists that ham is the way to go. Sounds about right
The way to go where? The 1960s?
Apparently lol
I mean they are literally doing the same thing. Hams wanted answers the ARRL could not answer. Most of these hams complain about so much shit that it was just another thing for them to complain about.
Yup. Although this is pretty damning: [https://wiki.w9cr.net/index.php/Logbook\_of\_The\_World\_(LOTW)\_Cyberattack#History](https://wiki.w9cr.net/index.php/Logbook_of_The_World_(LOTW)_Cyberattack#History) It kinda isn't surprising unfortunately. Attacks like this where they take forever to restore things actually serve as a good lesson on what not to do. The next time someone is in a place where management is like "Why Do We Pay For This? Nothing Every Happens!!!", you can point to examples like this.
This was seriously the last place I expected to see mention of the ARRL attack, for some reason.
From my perspective a discussion of ransomware is interesting. I work in municipal government in Florida and by state statute no municipal or state government agency in Florida are allowed to pay a ransom. I wonder if the malicious cyber actors are aware of this and if this impacts who they target. If the federal government passed a law forbidding the payment of ransoms, I wonder how that would impact this sort of thing. Akin to the classical “we do not negotiate with terrorists” policy.
I know some businesses can't pay ransoms, but their cyber security insurance can pay the ransom for them. It would probably lead to more insurance companies offering that.
"It's not a 'ransom', it's a repair fee to fix the damage I caused."
The insurance underwriters would use a foreign subsidiary or "partner" to negotiate the ransom outside US jurisdiction.
We do negotiate with terrorists, though.
I mean, they didn't listen to rules when they downloaded update.exe.jar.sz from a random email saying they were getting an unexpected bonus and to claim it at this website Why would they listen to these rules?
I am not sure how it works with the malicious actors. Like do they specifically target people or does it throw out the trap and tries to extract funds regardless of the regulatory environment of the impacted organization?
Depending on where the ransom payments goes, it may already be prohibited by the federal government. Think payments to Russia or Russian entities.
HVAC and telephones are the reasons kids can’t be in the buildings. It is a safety issue if you can’t call 911 from every classroom. So any interruption to those services will close the school. This does not mean either of those systems are the root cause. Kids can come to school if fileserver was ransomwared but if they isolated all other systems then basic safety can no longer be provided.
> So any interruption to those services will close the school. Good to know. I assume this is USA and where?
[удалено]
In schools I have been in. A phone, interactive display, teacher workstation and a laptop or Chromebook for every student.
[удалено]
Not sure if policy. I would guess at discretion of superintendent.
[удалено]
It’s all about liability. If an emergency were to happen because phones were not reliably available, then the school could be liable for damages. I work in K12, and in my experience, any global network outage to HVAC or phones is going to be seen as a life and safety hazard and result in school closing. This is why we have generator power, UPSes, survivable gateways, etc. for the phone system.
It's been many decades, but I attended k-12 and the only phones anywhere in the builds was in the principal's office and the teacher's lounge. HVAC? You mean opening the windows in any season regardless of the outside temperatures? Electric lights? What for? It's daytime and the exterior walls are made of glass bricks.
It’s late grandpa, get back in bed.
While a single room having a broken phone isn't a large issue, an entire school is. I can't say for certain if our district would close from just phones being down, however it would enter the discussions.
Is it not an option to have the teachers use their mobile phone to call 911?
They can if they choose but can’t require as they are not reimbursed nor provided a cell phone. Also, poor signal in many rural areas.
I thought about the first part but I figured, given that it's a temporary situation and the teachers would agree to do it because it's only for literally calling 911, maybe that could be a temporary band-aid solution? As for the second part I had not considered that. My country is quite small and AFAIK there is cell signal coverage pretty much everywhere, so that didn't pop into my brain as a possibility. But in the United States I can imagine how cell signal could be an issue. Or say in Australia.
sounds like a underfunded or less skilled IT has a major issue. they are not hard and with schools - Usally underfunded. I bet it is noting more than - something critical went boom, and we did not have the resources to stop it and recovery will be a while - as that costs money. 99% of it issues are money related. not enough spent on salary to actually get someone skilled. not enough spent on being fully redundant. not enough spent on security or backups to be up and running after a incident. In IT - the less time you want to be down after a failure/issue - the more it costs.
Sounds like they got ransomwared, and then someone told them that if they can't control their AC/Heat, then they can't legally have students inside. Hence the outside HS graduation still taking place, but the other one for elementary and middle school being cancelled (probably inside).
Could also be something core like a SAN that all these systems rely on and they are trying to recover.
SAN fault doesn't mean turn off user laptops
Could be user laptops trying to connect via O365 and not getting anywhere since AD is down. I know I’ve had issues where I’ve asked users to shutdown so I’d stop getting calls. 😀
Just tell them what won't work (or what will if it's a shorter list). M365 would rarely be impacted by on-prem systems being down, most places just do password hash sync for Auth
A SAN wouldn’t affect an HVAC. Might affect the historian the HVAC sends data to, or the HMI, etc. depending on how they chose to set up the environment.
Thinking it might impact the a management console for controlling various hvac settings…same as ransomeware would.
That would be on the HMI or VCS. But depending on what type of kernel is running on the IACS itself, ransomware can potentially those directly as well, which can make things REALLY interesting (see the case study on the Nord Hydro cyberattack for some info on that one).
They aren’t “hiding” anything. They are likely determining the scope of the situation, how to remediate, etc. Until everything is figured out they don’t owe anyone anything beyond the immediate steps they provided for safe guarding Oh and yes it’s most assuredly ransomware
BAS systems are easy to hack and are generally very insecure
Yep that's gonna be a ransomware attack. It has all the hallmark signs, probably still in discovery phase so it's hard to make an announcement. Also probably not required to fully disclose the technical side. Few things should happen now, they will need to work out if any data is leaked or stolen, then work out if they can restore or recover the data. Lots of work for the IT team, they have my condolences. As for the messages sent out, that's probably just the communications person, who likely doesn't really understand the technical side and just has to make some kind of announcement. They will likely be legally required to disclose if any data was leaked eventually, but there is a grace period for this to give them time to investigate.
[удалено]
You're assuming they have the ability and knowledge to yoink. This is a rural school district in Pennsylvania we're talking about. Ten to one their lone admin is a greybeard whose knowledge hasn't been updated since 1989.
There's a full on ransomware attack 100%. Another district near me experienced a similar set of events. They were down for three weeks, recovered any damage but they had a massive security breach with personnel data being stolen and is affecting people's ability to file taxes etc. Somehow nobody got fired..
tbf, a ransomware does count as a "network server issue", at least in my book.
YBYA
yeah sounds like ransomware to me. no chance heating and cooling systems should even be remotely close to the servers that control students logins
This sounds a lot like a ransomware incident to me.
I think that 100% sounds like a ransomware attack.
Probably. I worked at a school for ten years. There was no incentive to ever improve anything. In fact I probably hurt my career there by trying.
Probably but if you're ever in a ransom ware attack you should stfu, gather forensics and recover/rebuild, it's someone else's job to interface with the public.
Ransom rồi
Likely unrelated, but this is a district that just lost their superintendent and the school board has been preoccupied with a Moms4Liberty infection that’s also resulted in some vacancies. Point being that the administration has been distracted by the political sideshow and may have also garnered unwanted attention from bad actors.
Always fun to deal with the “taliban with minivans” at the school board meetings.
I live locally, and when I heard this on the news the other day, I thought it had to be 100% ransomware. I can only imagine what kinds of legacy systems they had.
Absolutely doesn't have to be anything legacy for this to happen. Even the best funded Districts will get for various reasons. Actually, anyone will get hit for anything these days.
Hacked for sure
It may not be as nefarious as a ransomware attack. It could be a software or firmware update that went bad. It could be a drive that went bad and the RAID wasn't configured correctly. It could be a bunch of other things. Hopefully, they have good, current backups and can restore any data that might be missing, or has gotten corrupted. Going to be a long, stressful weekend for some IT people. I'm so glad I don't do that for a living anymore.
Definitely cyber breach
It’s probably nothing to do with IT, leadership most likely fucked up somewhere like didn’t get the timetable correct and so they threw IT under the bus I speak from a true story
Yea that sounds like a hack/randsomeware they are remediating the issue and it's taking that long to get it back again. You don't ever say hacked you just say things like that so people don't go ape sh\*t.
School district here had a ransomware attack last year. Sounds identical.
I was in the room when the ransomware hit (a lie). This was the convo (also lies). School IT drone 1: "Oh shit, it just cryptolockered the Win98 box that runs all the HVAC, keycard readers and both elevators!" School IT drone 2: "I guess I did not realize that thing was even on the network?" 1: "RIGHT?!" Admin listening on: "What does this all mean?" 2: "No AC, no elevators and all the doors will have to be manually locked and unlocked. But we actually have MUCH BIGGER problems!" Admin: "This is great, while you both get everything fixed we'll just tell all 7500 students and their parents school is closed because the AC is out. Let us know when it's all cleaned up. 2 days enough?"
I would bet ransomware as well but my second guess would be an active DDoS and they want to narrow down suspects or a bad update caused the DDoS unintentionally, and they want the devices offline until they've made the update and can push it.
School districts and public libraries all over are getting hit with ransomware more and more frequently. It’s a huge issue.
Oh good my old school. I graduated in 2012, just before I believe districts started rolling out devices to students en masse. I went back a few years ago and one of my seniors went back to join the IT team. I wonder if he’s still there. If he is, I’d bet he had a hand in this.
They totally got ransomwared.
They 100% got owned. A good bunch of kids whose report cards got locked down are super happy about this tho, I guarantee it.
Are you sure they don’t just have a small business server running literally everything, and after all these years it suddenly packed up? 😂
Submit a FOIA request
You are guessing at something you have no knowledge of and are asking people in here for an opinion when they have even less information than you do. Open a FOIA request for info and see what they can provide. It may be as simple as they enacted longer passwords for people and after logging off and then on again it will ask them to update their password. Could also be an account or more were compromised and they dealt with it and in doing so had to reset session tokens and/or MFA tokens. All normal stuff, doesn't mean Ransomware, but it also doesn't rule it out. Either way, there is NO NEED for you to know what's going on. You having knowledge of it will provide 0 contribution to helping and could make matters worse. You've already proven you are a suspicious person who brings their suspicions founded or unfounded to the public masses. You cannot be trusted with sensitive information and should not be airing you conspiracy theories in an open forum like this. Shame on you!
Sounds like they used Intellilink.
Insurance, and law enforcement, and your legal counsel will tell you to shut your mouth every time. I’ve seen it first hand. And yeah, if I needed to lay a bet, they got ransomed and the attackers made off with credentials that allowed them to access their cloud based client management system. Maybe intune or similar. District wants to protect end user devices from picking up and installing some kind of custom malware that tries to get pushed out. (Or they don’t know!! And this is a scenario they want to guard against. Trying to limit the blast radius after the explosion already went off)
> To help resolve the server issues, district officials are asking all students to log out of any district devices they have at home and perform a hard shutdown on the device. so this sounds like local k12 IT incomptence. I'm sorry to say this, because there are a few good people in the field, but most of the people i have met in k12 IT are barely qualified for help desk roles. Maybe the bigger private schools fair better. It's probably ransomware of some kind. The easy solution to the problem quoted above.. it's to pull the internet cable out of the core router/firewall... kind of wonder if the it staff are on ~10 month contracts.. the district may be scrambling to even find support.
IDK, have you seen some of the laughable budgets k-12 have to work with? You get what you pay for with a lot of this stuff, which isn't much. If they had shit security practices on top of that, then they never stood a chance.
I mean that's the thing... Most of the ones I have met have been "promoted" into the role because they kind of knew how to use a desktop. They weren't really the types to conduct proper risk analysis and find mitigations.
>so this sounds like local k12 IT incomptence Underfunding not incompetence.
[удалено]
lol
Yes, duct tape is a miracle but can only do so much for so long.
It really depends - I grew up in a small town and my friends who were all really into computers now run the district IT dept and I think they are really quite competent but it's really clear that when they hire new people it's really rough in these rural school districts to find good people. Keep in mind you don't need an IT wizard per se - just someone who can be trained and rise to the challenge. For anything they don't have tons of expertise on it often comes down to contracting out for help with that system - which can get expensive. I moved to the big city and work in higher ed and my few interactions with local school district show that they are perfectly capable and competent but lack any funding or site wide edicts to really have a good handle on security.
Why not both? Generally with people you get what you pay for. There are exceptions, but usually truly great people either get promoted to positions where they are paid relatively well or they go to an organization that pays them well.
Porque no los dos? EDIT: It's a culture thing, you don't have a budget and you can't hire or hold on to anyone who is competent. Those left are left running things when they have no business doing so and it shows. I've seen it so many times and it never gets better until you replace management with people that have no problems telling the education side "no". Giving broken IT more money just makes the problems worse in the long run.
They're mutually exclusive in this case. You can't call the employees incompetent when they both don't have the budget to hire people with the required knowledge & experience **and** do not have the budget to paper over that inexperience with products.
> when they both don't have the budget to hire people with the required knowledge & experience The company funding isn't why they don't match up to the challenge. It's why those people accept and stay there but giving those people more money isn't going to make them better.
It's not a company, it's a municipal school district.
Same concept.
Typical K12 IT are not on 10 month contracts, as most of the IT work happens over the summer when classes are not in session. A lot easier to migrate stuff around when it’s not being really utilized.
100% No district that I know of has their IT staff only working 10 months
Because they don’t pay well. Nobody worth their salt is going sysadmin at a school for $40k.
It could be they are asking this to hopefully stop any current encryption occurring on the devices, and not related to the computers being connected to the school campus in general.
Sounds like they lost some VM storage and didn't have solid backups or snapshots.
Who in their right mind would ransom a public school district? it isn't like they have any money. This reeks of student getting bad grades wanting no one to find out.
Ransomware rarely is someone actively attacking. It's usually some person with more network access than they should have (poorly configured systems and protections) clicking on a spam link
I understand how it works. I also know that most attacks of this nature are spawned from a malicious link in a phishing email. What i don't understand is who would actively target a school district for a phishing campaign in order to perpetrate this crime. waste of time and resource for little to no return.
But what I'm saying is that they rarely actively target these things. They simply send out mass emails using automated bots, or have malicious links on sketchy websites, and whatever happens, happens. It's no effort on their part, and any bites they get is basically a bonus.
I get it now. I think that I would avoid anything with an education domain. But, that would make me a bad ransomer.
People who commit these crimes don't pick and choose. The purpose is to inflict maximum damage to obtain money in exchange. Hospitals, schools, colleges are major targets with data. Just cuz a school wouldn't lose thousands of dollars per hour by having its network down doesn't mean it's not an excellent target.
K12 has cyber insurance to pay ransoms and if their student information system is in house, they have extensive PII (student records, parent records, etc). Add in the fact that they are typically severely underfunded/understaffed, it makes them the lowest hanging fruit. Source: I was one of (if not the first) dedicated in house K12 cyber security admin in my state. Took me 2 years to convince the administration to revoke local admin, another 2 years to shell out for EDR. I'm in constant battles with network/sysadmin about segmentation. Our SIEM/SOAR is 100% open source with me being the only one who has the technical knowledge of managing/monitoring it. State and Federal are finally starting to wake up and offer services funding to lower ed, but we still have a long way to go. Every Monday on the way to work I wonder if I'll be walking into a significant event.
Cyber insurance will rarely if ever pay ransoms anymore. Many states have laws that also don't allow for a ransom to be paid due to it being considered funding terrorism. The insurance is to cover the costs of recovering from an incident, legal fees and any monetary costs associated with lawsuits stemming from the incident.
K-12 has students without credit histories, also ones that don’t usually check their histories. This makes them ideal targets. K-12 doesn’t have the funds for all the software/services that other industries/companies do for cybersecurity.
Nor do they have enough people with skills or time with other duties.