Ransomware Attacks on K12 Education are Spiking (Again)—Here’s How To Keep Your School District Safe

When it comes to cybersecurity, the last few years have been rough for Education. Hear expert insights on the top ransomware attacks facing K12 and Higher Ed—and how to avoid being the next victim.

When it comes to cybersecurity, the last few years have been rough for K12 and Higher Education. A recent report from Nord Security placed Education among the top five industries for data leaks, with more than 500 educational organizations experiencing data leaks since 2019. Another report from Comparitech also noted a significant rise in cyberattacks on the Education sector, recording 561 attacks on K12 institutions from 2018 to mid-September 2023. 

Indeed, recent years have seen an increase in the number of major data breaches resulting in direct disruptions to daily operations for entire school districts. In February of this year, the Los Angeles Unified School District revealed it was the victim of a ransomware attack in September 2022, and reported that the personal information of at least 2,000 students were compromised and released on the dark web. Then, on March 7 of 2023, the infamous Medusa ransomware group hit Minneapolis Public Schools, giving them only 10 days to pay a $1 million ransom under threat that the group would leak the files if not paid. The ransom was not paid, and the group made good on their threat by releasing their stolen information on March 17, 2023. This was a massive leak which included records and data that allegedly dated as far back as 1995. 

“While cyberattacks against the Education sector continue to rise, a significant number of them have been carried out by ransomware gangs,” says Mike Sanchez, UDT’s CISO & SVP Cybersecurity Solutions. “Even outside of Education, ransomware continues to be the ‘weapon of choice’ for cybercriminals. Ransomware-as-a-Service tools offered by organized crime groups have become even more widely available with advancements in technology, fueling a lucrative trillion-dollar industry (though a highly illegal one).” 

In this blog, we will leverage Mike’s expert insights alongside industry resources to examine the most common ransomware attack vectors for Education with practical tips to help K12 and Higher Ed organizations avoid becoming the next victims. 


The Most Common Attack Vectors for Ransomware in Education 

Ransomware does not just appear by magic. For any cyberattack to be successful, it first needs a way in, or an attack vector, that allows bad actors to infiltrate the target system or network. Before an individual can understand how to avoid becoming a victim of ransomware, you first need to know the most common attack vectors that cybercriminals use to deliver it.  

For K12 and Higher Ed, the following tend to be the most commonly used attack vectors for ransomware: 

1. Social Engineering. Social Engineering is an attack vector that often begins as a seemingly harmless email, a call from a friend or colleague, or a text message from a trusted individual or organization. These attacks often appeal to your emotions in order to win your trust.

    • For example, you might get a phone call from someone posing as “Jim from IT,” explaining that there is an issue with your computer, and he needs your help to provide him with remote access to your machine so he can fix it.

    • Or it might be a “new teacher” waiting at the door of the school, asking if you can let him in because he doesn’t have his access card yet (when in reality, he’s hoping to sneak in just long enough to insert a ransomware-loaded USB drive into an unattended computer).

2. Phishing & Spear-Phishing. Phishing and spear-phishing are similar to Social Engineering; but these popular attack vectors leverage distinctive tactics that deserve closer attention, which is why they are listed separately here: 

    • Vishing. Also known as “voice-phishing,” this is a common tactic in which attackers use the telephone to solicit unsuspecting victims for personal details. For example, you might get an unsolicited call from someone posing from “Microsoft Support” telling you your computer has been breached and that the caller needs you to download a file so he/she can fix it.
    • Smishing. These types of cyber-attacks are done via text/SMS messaging. Attackers send text messages designed to fool victims into either divulging private information, opening a malware-loaded file, or clicking a link that will either infect the victim’s phone with malware or send them to a fake site that asks for their login credentials. 
    • Social Media Phishing. Spurred by the widespread use of social media, this attack vector is increasingly common today. Many cybercriminals view social media as an easy way to learn personal information about people (names of children, pets, home addresses, etc.), as well as a channel to carry out phishing attacks aimed at stealing personal information or spreading malware. Some attacks are even used to hijack accounts to launch follow-up attacks on a victim’s connections or followers that allow them to take over even more accounts. 
    • Mass Phishing. This form of phishing could be called a “shotgun approach,” as it sends out hundreds or even thousands of phishing emails, SMS messages, or robocalls. It is not usually a targeted attack and works on the idea that at least a handful of people will carelessly click a link to a spoof site or open an attachment that is loaded with malware. After all, they don’t need everyone to fall for it—just one person is often enough. 
    • Spear-Phishing. Essentially, this is just a more targeted form of phishing in that it typically involves researching a specific target. This attack vector focuses on a specific victim or organization and is custom-tailored to them based on available information that helps the message, call, or email seem legitimate. Today’s spear-phishing attacks are often augmented with the use of Artificial Intelligence (AI) apps such as ChatGPT that help the content sound and appear more genuine while avoiding the tell-tale mistakes of spelling and grammatical errors. 
    • Whaling. This attack vector is a bit like “spear-phishing on steroids.” These custom-tailored and well-researched attacks focus on high-profile targets, such as District Superintendents and/or other leaders or executives at an organization. Cybercriminals will spend time researching the target, documenting their habits, schedule, professional associations, social media accounts, etc., and will then use this information to ensure their spear-phishing message or email has the best possible chance at success. 

3. Software/App Exploits. This attack vector involves bad actors taking advantage of known exploits in apps or software. They will target systems that have not yet received necessary updates, patches, or bug fixes, and then use these known exploits to deliver ransomware. This is part of why it is critical to keep your systems up to date, always. 

4. Stolen Credentials & Credential Stuffing. Cybercriminals can purchase stolen credentials on the dark web and use them to access a system in order to deliver ransomware. Commonly called “credential stuffing,” bad actors will use login credentials that have been compromised in past data breaches and use them to log into other accounts associated with the victim by “stuffing” them into the login window—another reason to use unique passwords and update them frequently.

5. Infected USB Drives. The FBI shared a warning about this attack vector back in January 2022, and there has been a resurgence of it in 2023. Cybercriminals mail out ransomware-loaded “free USB drives” (such thumb drives have become common “freebies” or “swag” gifts, which may be why some people don’t see the potential danger these little devices can pose). The hope is that someone will insert them into a personal or work/school computer. Another delivery tactic is to leave a few ransomware-infected USB drives in or around the office or campus so that someone might find and carelessly use it. This tactic is more successful than you might think: in fact, a malware-infected USB drive left on the ground near a military installation in the Middle East was responsible for a huge data breach of the Department of Defense back in 2008. 


How To Avoid Being Hit by Ransomware 

Now that we’ve covered the various methods used for ransomware delivery in Education, let’s review some tips to avoid falling victim to them. We’ve compiled some best practices in risk management to help your school district or campus prevent and stay alert of potential ransomware attacks:  

  1. Exercise Caution. It goes without saying, but always exercise caution when receiving unexpected text messages, emails, or phone calls, even if they appear to be from a known source. Be especially skeptical of urgent requests for sensitive information or immediate actions.


  2. Verify the Source. Before responding or replying directly to any unexpected text message, email, or phone call—especially if the message is requesting sensitive information or actions—take a moment to verify the legitimacy of the sender. Never respond to the suspicious text message or email itself, and if it’s a phone call, hang up and call the person back by dialing their verified number. No matter what form the suspicious communication takes, reach out to confirm the request is genuine.


  3. Set Unique Passwords & Never Share Them. It is important to not only have strong, unique passwords, but also to keep them a secret. Never share your credentials. If you think a password has been compromised, change it. You might also consider adopting a password policy for your school district that establishes password requirements, forbids password sharing, and requires regular password updates.


  4. Never Trust an Unfamiliar USB Drive. This also goes for thumb drives that you’ve been given at an event or conference. Unless you bought it yourself, in a sealed package and from a reputable manufacturer, there is always a chance the USB contains malware.
  5. Use Anti-Spoofing Tools. Many cell phone carriers provide anti-spam and anti-spoofing apps. Consider downloading and installing a reliable app on your mobile devices to help identify and block suspicious messages or phone calls.


  6. Do Not Click Links. Avoid clicking on any links in unsolicited text messages or emails. These links could lead to malicious websites designed to steal your information, which could later be used to deliver ransomware.


  7. Don’t Download or Open Suspicious Attachments. Never open or download an attachment from an unexpected email, especially if the email frames it as urgent. As already mentioned, verify the source before you open or download the attachment.


  8. Keep Applications & Software Up to Date. Be sure to make time for software updates. Even though these reminders can sometimes interrupt your day, these updates are important and often contain security patches and bug fixes that close up exploits that could be leveraged by ransomware gangs.


  9. Educate to Bring Awareness. Familiarize yourself and all members of your school district or institution with common attack vectors. Train your users in cybersecurity best practices. The more awareness your organization has, the better equipped everyone will be to protect both themselves and your school district from ransomware.


  10. Report Suspicious Messages: If you receive a suspicious text message, email, or phone call, or feel you may have accidentally clicked a malicious link or attachment by mistake, report it to your district’s IT or security team immediately and ensure proper action can be taken and further breaches prevented.


Keep Your School District Safe from Ransomware 

The threat of ransomware poses a significant risk to K12 school districts and other educational institutions—and it is likely to remain a significant risk for years to come. However, with vigilance and training, the Education sector can better equip themselves to fight it.  

When it comes to cybersecurity, sometimes there are just too many threats for any school district to handle on its own. UDT has been fulfilling the technology and cyber-risk requirements of K12 school districts across the country for nearly 30 years. We currently serve 7 of the 10 largest school districts in the United States—and we’re ready to serve your campus, too. Partner with us today and find out how we can help your school district with connectivity, cybersecurity tools, and other IT needs. 

Take The Quiz—What’s Your Security Risk Level?

New to cybersecurity or trying to improve your security posture? Take our brief quiz to understand how your organization might score when it comes to risk—and what to do about it. 

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

Henry Fleches on AI’s role in business and UDT’s link to Intel

UDT’s Henry Fleches discusses AI’s transformative role in business. Learn how AI shapes operations and drives innovation for a competitive advantage.

Reasons to Spend Your Year-End Budget on a Smart School Technology Refresh

Discover how smart schools technology can transform your district. Invest your year-end budget in digital learning and safety for a successful new school year.

Technology and workplace culture: An evolving partnership — Table of Experts

Discover how South Florida’s best workplaces leverage technology for culture and efficiency. Learn from experts at the forefront of innovation, including our Chief Technology Officer, Fernando Mejia.

Professional Development for 1:1 Device Initiatives in School Districts

Explore how professional development technology training for teachers can enhance K12 education. Discover the impact of 1:1 device initiatives on teaching and learning.

How To Defend Against Business Email Compromise

Business Email Compromise (BEC) attacks are causing businesses to lose 48 times more money than ransomware. Learn how to defend against these pervasive cyberthreats.

How To Prioritize Cloud Security Best Practices at Your Organization

Remember these key principles as you implement cloud security best practices at your organization for a safe and secure cloud infrastructure with minimum security issues. Whether you’re using Microsoft Azure or Amazon Web Services (AWS), cloud data security must always be a priority.

Experiencing a security breach?

Get immediate assistance from our security operations center! Take the following recommended actions NOW while we get on the case:


  1. Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level or physically unplug the systems from the wired or wireless network.
  2. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected
  3. Initiate an immediate password reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well.

Just one more step

Please fill out the following form,