Trojans, ransomware dominate 2018–2019 education threat landscape

Trojans, ransomware dominate 2018–2019 education threat landscape

Heading into the new school year, we know educational institutions have a lot to worry about. Teacher assignments. Syllabus development. Gathering supplies. Readying classrooms.

But one issue should be worrying school administrators and boards of education more than most: securing their networks against cybercrime.

In the 2018–2019 school year, education was the top target for Trojan malware, the number one most-detected (and therefore most pervasive) threat category for all businesses in 2018 and early 2019. Adware and ransomware were also particularly drawn to the education sector last year, finding it their first and second-most desired target among industries, respectively.

To better analyze these threats, we pulled telemetry on educational institutions from our business products, as well as from IP ranges connecting from .edu domains to our consumer products. What we found was that from January to June 2019, adware, Trojans, and backdoors were the three most common threats for schools. In fact, 43 percent of all education detections were adware, while 25 percent were Trojans. Another 3 percent were backdoors.

So what does this tell us to expect for the 2019–2020 school year? For one, educational institutions must brace themselves for a continuing onslaught of cyberattacks, as the elements that made them attractive to criminals have not changed. However, more importantly, by examining trends in cybercrime and considering solutions to weaknesses that made them susceptible to attack, schools may be able to expel troublesome threat actors from their networks for good.

Why education?

Surely there are more profitable targets for cybercriminals than education. Technology and finance have exponentially bigger budgets that could be tapped into via large ransom demands. Healthcare operations and data are critical to patient care—loss of either could result in lost lives.

But cybercriminals are opportunistic: If they see an easy target ripe with valuable data, they are going to take advantage. Why spend the money and time developing custom code for sophisticated attack vectors when they can practically walk through an open door onto school networks?

There are several key factors that combine to make schools easy targets. The first is that most institutions belonging to the education sector—especially those in public education—struggle with funding. Therefore, the majority of their budget is deferred to core curriculum and not so much security. Hiring IT and security staff, training on best practices, and purchasing robust security tools and programs are often an afterthought.

The second is that the technological infrastructure of educational institutions is typically outdated and easily penetrated by cybercriminals. Legacy hardware and operating systems that are no longer supported with patches. Custom school software and learning management systems (LMSes) that are long overdue for updates. Wi-Fi routers that are operating on default passwords. Each of these make schools even more vulnerable to attack.

Adding insult to injury, school networks are at risk because students and staff connect from personal devices (that they may have jailbroken) both on-premises and at home. With a rotating roster of new students and sometimes personnel each year, there’s a larger and more open attack surface for criminals to infiltrate. In fact, we found that devices plugging into the school network (vs. school-owned devices) represented 1 in 3 compromises detected in H1 2019.

To complicate matters, students themselves often hack school software out of sheer boredom or run DDoS attacks so they can shut down the Internet and disrupt the school day. Each infiltration only widens the defense perimeter, making it nearly impossible for those in education to protect their students and themselves from the cyberattacks that are sure to come.

And with such easy access, what, exactly, are criminals after? In a word: data. Schools collect and store valuable, sensitive data on their children and staff members, from allergies and learning disorders to grades and social security numbers. This information is highly sought-after by threat actors, who can use it to hold schools for ransom or to sell for high profit margins on the black market (data belonging to children typically garners a higher price).

School threats: a closer look

Adware represented the largest percentage of detections on school devices in H1 2019. Many of the families detected, such as SearchEncrypt, Spigot, and IronCore, advertise themselves as privacy-focused search engines, Minecraft plugins, or other legitimate teaching tools. Instead, they bombard users with pop-up ads, toolbars, and website redirects. While not as harmful as Trojans or ransomware, adware weakens an already feeble defense system.

Next up are Trojans, which took up one quarter of the threat detections on school endpoints in H1 2019. In 2018, Trojans were the talk of the town, and detections of this threat in organizations increased by 132 percent that year.

While still quite active in the first half of 2019, we saw Trojan detections decrease a bit over the summer, giving way to a landslide of ransomware attacks. In fact, ransomware attacks against organizations increased a shocking 365 percent from Q2 2018 to Q2 2019. Whether this is an indication of a switch in tactics as we head into the fall or a brief summer vacation from Trojans remains to be seen.

The top two families of Trojans in education are the same two who’ve been causing headaches for organizations worldwide: Emotet and TrickBot. Emotet leads Trojan detections in every industry, but has grown at an accelerated pace in education. In H1 2019, Emotet was the fifth-most predominant threat identified in schools, moving up from 11th position in 2018. Meanwhile TrickBot, Emotet’s bullying cousin, represents the single largest detection type in education among Trojans, pulling in nearly 6 percent of all identified compromises.

Emotet and TrickBot often work together in blended attacks on organizations, with Emotet functioning as a downloader and spam module, while TrickBot infiltrates the network and spreads laterally using stolen NSA exploits. Sometimes the buck stops there. Other times, TrickBot has one more trick up its sleeve: Ryuk ransomware.

Fortunately for schools but unfortunately for our studies, Malwarebytes stops these Emote-drops-TrickBot-drops-Ryuk attacks much earlier in the chain, typically blocking Emotet or TrickBot with its real-time protection engine or anti-exploit technology. The attack never progresses to the Ryuk stage, but our guess is that many more of these potential breaches would have been troublesome ransomware infections for schools if they hadn’t had the proper security solutions in place.

Class of 2020 threats

The class of 2020 may have a whole lot of threats to contend with, as some districts are already grappling with back-to-school attacks, according to The New York Times. Trojans such as Emotet and TrickBot had wildly successful runs last year—expect them, or other multi-purpose malware like them—to make a comeback.

In addition, ransomware has already made waves for one school district in Houston County, Alabama, which delayed its return to classes by 12 days because of an attack. Whether it’s delivered via Trojan/blended attack or on its own, ransomware and other sophisticated threats can bring lessons to a halt if not dealt with swiftly.

In 2019, Malwarebytes assisted the East Irondequoit Central School District in New York during a critical Emotet outbreak that a legacy endpoint security provider failed to stop. Emotet ran rampant across the district’s endpoint environment, infecting 1,400 devices and impacting network operations. Thankfully Malwarebytes was able to isolate, remediate, and recover all infected endpoints in 20 days without completely disrupting the network for students or staff.

If school IT teams do their research, pitch smart security solutions to their boards for funding, and help students and staff adopt best practices for online hygiene, they can help make sure our educational institutions remain functional, safe places for students to learn.


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Writer, editor, and author specializing in security and tech. Content guru. Lover of meatballs.