Cybercriminals closed some schools in America and Britain this week, preventing kindergarteners in Washington state from attending their first-ever school day and shutting down all internet-based systems for Biggin Hill-area students in England for the next three weeks.

On Sunday, Highline Public Schools, a Seattle-area school district that serves more than 17,000 students from pre-K through high school, alerted its parents and students that all schools, along with activities, athletics and meetings planned for Monday, had been canceled.

"We have detected unauthorized activity on our technology systems and have taken immediate action to isolate critical systems," according to a notice posted on the district's website. 

Upon finding the digital intruders on the network, the district called in third-party infosec experts, along with US federal and state law enforcement, to help restore the systems, we're told.

The school district operates 34 schools and employs more than 2,000 staff members across the Washington state communities of Burien, Des Moines, Normandy Park, SeaTac, and White Center.

"We understand this comes as an unexpected disruption, particularly on the eve of the first day of kindergarten for many of our families," the Sunday alert continued.  "We recognize the burden this decision places on both families and staff, but student safety is our top priority, and we cannot have school without these critical systems in place."

Highline has not specified which critical systems were affected by the intrusion, or if the shutdown is due to ransomware. The Register has asked for comment, and will report back once we hear from the district.  

No criminal group has claimed responsibility for the Highline breach, though the school closures follow a ransomware infection that snarled traffic at the Seattle-Tacoma International Airport in late August.

As of Wednesday, all 34 schools remain closed. They are expected to reopen for students in kindergarten through 12th grade on Thursday, September 12, while the first day of preschool is now slated for Monday, September 16.

On the other side of the pond

Meanwhile, in the UK, Charles Darwin School sent home a letter with all of its students on September 6, telling parents and caregivers that the "IT issues" it had been experiencing were "worse than hoped." In fact, they were due to a ransomware attack.

Charles Darwin has 1,320 secondary and sixth-form students in Bromley, England.

The Biggin Hill school would be closed between September 9 and September 11 as IT admins wiped all of the staff devices and teachers reorganized all of their lessons, according to headteacher Aston Smith. 

Internet, email, and other school systems will be knocked out for an estimated three weeks, he added. 

"We do not know at this point what data has been accessed, however we need to state there is the potential for all information held by the school to have been accessed," Smith wrote [PDF]. 

Black Suit, believed to be an offshoot of the now defunct Conti ransomware gang, has claimed to be behind the Charles Darwin School attack. In a post on the criminals' dark-web blog, they say they stole 200 GB of data, including user, business data, employee, student and financial information. 

Charles Darwin School did not immediately respond to The Register's inquiries about the ransomware infection.

The school reported the security breach to the UK Information Commissioner's Office, and is working with a cybersecurity company to conduct a forensic investigation.

Smith promised to update the community "regularly" as the investigation continues. 

"Unfortunately, cyber-attacks like this are happening more frequently despite having the latest security measures in place," he said. "Our understanding of our situation is that it is similar to what was experienced by the NHS, Transport for London, National Rail, other schools and public sector departments."

Tewkesbury Borough Council, in Gloucestershire, was also just hit with debilitating cyber-attack, taking systems and public services offline.

Council boss Alistair Cunningham said in a statement this week: "We have no evidence that data has left this organisation. Our systems are shut down as a precautionary measure. Further forensic work has been ongoing this weekend and we now believe the incident is contained within the infrastructure of our systems."

Over in the US, 108 K-12 school districts fell victim to ransomware attacks last year, according to Emsisoft's statistics.

'Reading between the lines' suggests ransomware

"There is no honor amongst the ransomware gangs attacking schools in Washington state and the UK," Semperis principal technologist Sean Deuby told The Register, adding that schools are more vulnerable targets because of their smaller IT budgets and fewer defensive resources. "Attacking just before the first day of school for young kindergartners demonstrates their amorality."

These attacks leads me to believe that the schools were hit by ransomware

While the Seattle-area district hasn't called the incident ransomware, "reading between the lines on these attacks leads me to believe that the schools were hit by ransomware," Deuby opined.

A recent report by the Active Directory security firm found 83 percent of responding orgs (Semperis surveyed 900 IT and security professionals in the UK, US, France, and Germany for the study) were targeted by ransomware criminals in the past 12 months [PDF]. Specific to education: 82 percent said they had been a target.

"Most schools today use Office 365 but still depend upon their on-premises identity system, Active Directory, for its users," Deuby said, adding that this makes exploiting Microsoft AD vulnerabilities more enticing to criminals. 

While there's "no silver bullet" to solve schools' security challenges, he suggests working with their IT providers to identify critical services "such as AD that are single points of failure." 

"If critical services go down, school stops, and the school buses don't roll," Deuby noted. "Have a plan for what to do. This doesn't have to be perfect but think now about what to do if email goes away or a teacher portal is locked." ®

https://www.theregister.com//2024/09/11/uk_us_school_ransomware/