The US Federal Bureau of Investigation sent out on Tuesday a security alert to K12 schools about the increase in ransomware attacks during the coronavirus (COVID-19) pandemic, and especially about ransomware gangs that abuse RDP connections to break into school systems.
The alert, called a Private Industry Notification, or PIN, tells schools that "cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic because they represent an opportunistic target as more of these institutions transition to distance learning."
Schools are likely to open up their infrastructure for remote staff connections, which in many cases would mean create Remote Desktop Protocol (RDP) accounts on internal school systems.
Over the past two-three years, many ransomware gangs have utilized brute-force attacks or vulnerabilities in RDP to breach corporate networks and deploy file-encrypting ransomware.
However, while companies usually have resources for a professional security team to protect their remote access infrastructure and endpoints, the same is not true for K12 schools, the FBI said.
"K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks," the FBI said.
Furthermore, the Bureau also touches on the increased number of ransomware gangs that now steal data from infected networks and threaten to publish it if schools don't pay, suggesting that such threats "may create an elevated urgency for schools to pay ransoms."
The FBI cited stats from antivirus company Emsisoft about the increase in attacks targeting K12 schools, saying that 1,233 were potentially targeted in 2019, with another 422 schools targeted in Q1 2020 alone. According to the K12 Cyber Incident Map, there were 867 known cyber-security incidents disclosed by US K12 schools since 2016, but only a fraction of those were ransomware.
In particular, the FBI warns about attacks involving the Ryuk ransomware, which the bureau said it observed in an increased number of attacks since September 2019, exploiting RDP endpoints as its initial point of entry.
The FBI PIN included a series of recommendations for K12 schools and their IT staff.
The PIN is the third ransomware-themed alert the bureau has sent this year. It previously sent two other alerts in May, one about the ProLock ransomware and another general alert about Ryuk.