Two years, two known ransomware attacks in Wisconsin schools: They may be more common than we know

MADISON, Wis. — When a ransomware attack in October locked Janesville School District students, staff and families out of various online programs, parent Neanda Annen said her initial reaction was to laugh, guessing that a student had attempted to keep their grades hidden.

But after the district notified families that they were in contact with the FBI and Department of Homeland Security, Annen recognized the severity of the situation.

“I thought, why would somebody want to get into a school’s Internet?” Annen said. “I hadn’t even thought about all the information that is available from the students and staff at first.”

The incident in Janesville is just one of many recent attacks on a nationwide scale. As of August, at least 58 U.S. school districts and educational organizations had been hit by ransomware attacks, including 830 individual schools this year, according to Emsisoft threat analyst Brett Callow. 

Experts say K-12 schools are now the leading target of ransomware attacks. In Wisconsin, however, the most recent reported ransomware attack after the Janesville incident was only in February 2020 after the Shorewood School District in Milwaukee County experienced a similar hack. 

Ransomware attacks occur when an attacker gains access to an individual or an organization’s data and important files, including social security numbers and other private information. In most cases, the attacker threatens to publish the information online if the victim does not pay a ransom.

The average ransom is about $50,000, but the largest attacks have gained as much as $1.4 million, according to CBS News.

Cyber attacks not required reporting in Wisconsin, many other states

UW-Madison Office Of Cybersecurity Assistant Director Tim Bohn said the number of ransomware attacks in 2021 is fairly consistent with previous years. However, there may be reasons to believe that Wisconsin schools have experienced more attacks than have been reported.

According to the Department of Public Instruction (DPI), when Wisconsin school districts are hit by a ransomware attack, they are not required to report these incidents either internally or publicly with parents and students, regardless of whether their information has been compromised.

Wisconsin is not unique in this situation. On a national level, most states are not required to collect data about ransomware attacks or share when they’ve occurred. The few states that are legally required to report these events often find loopholes to avoid it, according to the Daily Dot.

In Missouri, districts are required to report breaches of electronically stored student data to the Department of Elementary and Secondary Education. Yet, if student information is not published or stolen, the district does not have to report such an attack.

In Janesville, the district said in a Facebook post that no data had been accessed nor destroyed, and the school did not receive a ransom note indicating any demands. 

According to UW-Madison Cybersecurity analyst Bridget Bartell, schools are typically not encouraged to pay the ransom to the attacker.

“Paying a ransom is not usually recommended unless it’s a last resort,” Bartell said. “The best way is to have backups of your system and store it in a way that you’ve tested and are able to ensure that if this happens, they’re segmented somewhere else that the attacker can’t get to and also encrypt or steal.” 

Why schools are becoming more susceptible to attacks

Another reason why it’s likely that school districts are experiencing a higher level of ransomware attacks is due to the significant increase in virtual learning and online programs by schools during the pandemic. The increased use of online platforms has made more student and staff data more available to attackers, according to CBS News.

Using outdated technology also makes schools a vulnerable target to ransomware attacks, DPI Director for Inspection of Technology Services Dr. Annette Smith said.

In order to prevent these attacks from occurring, Smith said schools recommend a number of best practices to libraries and schools. 

“The things that we recommend our schools and libraries do is to make sure that they have secure passwords, up-to-date equipment, and really solid backups, including one that is offsite and disconnected from any of their networks,” Smith said. “So if something were to happen, they would be able to get into their backups and retrieve their data.”

Methods for avoiding cyberattacks

According to Smith, DPI offers annual training in partnership with the Wisconsin Educational Technology Leaders Association in order to prepare school districts for potential attacks. This year, the training will focus on data privacy and securing data.

“Every year we wrap it up with a tabletop exercise so districts can attend and practice their response plan,” Smith said. 

The state also offers a cybersecurity training program for students and staff, which includes simulated phishing attacks. Phishing is another type of cyberattack in which attackers pose as trusted websites or reputable services through email and attempt to steal information such as credit card numbers.

Smith said 33 Wisconsin school districts are currently using the state cybersecurity training program, while other districts may be using programs from other companies. 

UW-Madison Office of Cybersecurity Communications Director Mary Evansen said that one general way to avoid falling victim to cyberattacks is practicing awareness. 

According to Evansen, people should be aware that if an email message seems too good to be true, it often is. 

“If suddenly you’re the recipient of a $500 gift card if only you click on this link, it’s probably not real,” Evansen said.

Photojournalist Lance Heidt contributed to this report.