Over Labor Day weekend, the Los Angeles Unified School District (LAUSD) was hit with a ransomware attack that prompted a shutdown of the district’s computer systems in an effort to contain the effects of the malicious attack. The attack on the Los Angeles Unified School District - which is the second-largest district in the US – put officials on high alert. The school district is slowly moving back to capacity after the attack, but fears over lockouts from school management systems and unauthorized access to student data loom.

This is not the first time LAUSD computer systems have been attacked by ransomware – and it’s not the first warning the they’ve received about it either. According to Alex Holden, CEO of Hold Security, the same systems avoided being hit with a similar attack in February of 2021.

Holden disclosed that Hold Security discovered a device on LAUSD’s systems that had been compromised by the TrickBot banking Trojan, which steals financial credentials from a targeted system, and can also be used to install more damaging malware such as ransomware.

LAUSD was notified of the 2021 intrusion through a third party, and was presumed to have taken action. Soon afterward, the compromised device disappeared from the TrickBot botnet. Holden described it as a “close call” for the school district, adding, “Unfortunately, this time it turned out differently.”

The Los Angeles Unified School District has more than 600,000 students, meaning the impact of the current attack could be huge. In a press release from the district on September 7th, they said that they were working towards full operational capacity, but they had encountered issues regaining access to systems.

“While the District’s ability to intercept the attack by deactivating all our systems was swift, decisive and prudent action to avoid a catastrophic breach, the recovery from the disruption has proven more challenging than initially anticipated,” LAUSD released in a statement. They continued, “Password resets have and remain Los Angeles Unified’s biggest challenge, as students and employees must complete resets at District sites.”

Despite password difficulties, LAUSD has managed to return many systems to operational states.

However, experts say that a full recovery from the attack is not something that will occur quickly. Jon Miller, CEO and co-founder of anti-ransomware platform Halcyon said that even seemingly restored systems can still be vulnerable.

According to Miller, attackers often find targets using compromised login credentials, or by finding other ways to bypass security products installed on the network. In some cases, these techniques give hackers persistent access to networks when a fix is attempted.

“Even if a victim has backups, they will need weeks and months of expensive recovery and incident response that must be completed to ensure the network is safe to run fully again,” he said.

LAUSD is one of the largest school districts in the nation, but it’s not alone in dealing with ransomware attacks. According to Doug Levin, who maintains a database of publicly disclosed cybersecurity incidents in schools, four other school ransomware incidents have taken place within a month of the LAUSD attack.

Levin points out that some factors that make schools vulnerable to attack range from resource constraints to a failure of school leadership to keeping up with digital transformations in the learning environment. Policymakers can also be responsible for leaving schools to set their own standards for cyber preparedness.

“On the cybersecurity policy side, the needs of school districts for support have been largely overlooked,” Levin said.

In the aftermath of the attack on LAUSD, federal officials have warned that ransomware attacks on school may increase.

In a joint cybersecurity advisory from the FBI, CISA and MS-ISAC, they warn that federal agencies have “observed … actors disproportionately targeting the education sector with ransomware attacks.”

School cyberattacks may increase in the 2022-2023 school year as ransomware groups see opportunities for successful attacks. According to the advisory, K-12 institutions are targets attackers like to focus on because of the amount of sensitive student data they handle.

Story via The Verge