{
	"id": "c86f4dd7-2d92-4bd0-b14e-a16063dcc8df",
	"created_at": "2026-04-06T00:21:20.58433Z",
	"updated_at": "2026-04-10T03:20:25.953876Z",
	"deleted_at": null,
	"sha1_hash": "4892ec97e210f22ccf1a25628292e5d90e51dd33",
	"title": "Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105729,
	"plain_text": "Cyber Actors Target K-12 Distance Learning Education to Cause\r\nDisruptions and Steal Data | CISA\r\nPublished: 2020-12-10 · Archived: 2026-04-05 21:51:23 UTC\r\nSummary\r\nThis Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis\r\nCenter (MS-ISAC).\r\nThe FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance\r\nlearning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are\r\nexpected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12\r\nschools that face resource limitations; therefore, educational leadership, information technology personnel, and\r\nsecurity personnel will need to balance this risk when determining their cybersecurity investments.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nAs of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational\r\ninstitutions about the disruption of distance learning efforts by cyber actors.\r\nRansomware\r\nThe FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational\r\ninstitutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in\r\nsome instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting\r\ntactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to\r\nleak—confidential student data to the public unless institutions pay a ransom.\r\nAccording to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at\r\nthe beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the\r\nMS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through\r\nJuly.\r\nThe five most common ransomware variants identified in incidents targeting K-12 schools between January and\r\nSeptember 2020—based on open source information as well as victim and third-party incident reports made to\r\nMS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.\r\nMalware\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nPage 1 of 8\n\nFigure 1 identifies the top 10 malware strains that have affected state, local, tribal, and territorial (SLTT)\r\neducational institutions over the past year (up to and including September 2020). Note: These malware variants\r\nare purely opportunistic as they not only affect educational institutions but other organizations as well.\r\nZeuS and Shlayer are among the most prevalent malware affecting K-12 schools.\r\nZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use\r\nZeuS to infect target machines and send stolen information to command-and-control servers.\r\nShlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through\r\nmalicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater.\r\nNote: Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows\r\noperating systems\r\nFigure 1: Top 10 malware affecting SLTT educational institutions\r\n \r\nDistributed Denial-of-Service Attacks\r\nCyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting\r\ndistance learning—with distributed denial-of-service (DDoS) attacks,  which temporarily limit or prevent users\r\nfrom conducting daily operations. The availability of DDoS-for-hire services provides opportunities for any\r\nmotivated malicious cyber actor to conduct disruptive attacks regardless of experience level. Note: DDoS attacks\r\noverwhelm servers with a high level of internet traffic originating from many different sources, making it\r\nimpossible to mitigate at a single source.\r\nVideo Conference Disruptions\r\nNumerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have\r\ndisrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students\r\nand teachers, displaying pornography and/or violent images, and doxing meeting attendees (Note: doxing is the\r\nact of compiling or publishing personal information about an individual on the internet, typically with malicious\r\nintent). To enter classroom sessions, uninvited users have been observed:\r\nUsing student names to trick hosts into accepting them into class sessions, and\r\nAccessing meetings from either publicly available links or links shared with outside users (e.g., students\r\nsharing links and/or passwords with friends).\r\nVideo conference sessions without proper control measures risk disruption or compromise of classroom\r\nconversations and exposure of sensitive information.\r\nAdditional Risks and Vulnerabilities\r\nIn addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC,\r\nmalicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning\r\nenvironment.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nPage 2 of 8\n\nSocial Engineering\r\nCyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other\r\nindividuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal\r\ninformation (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such\r\nscenarios, a victim could receive what appears to be legitimate email that:\r\nRequests personally identifiable information (PII) (e.g., full name, birthdate, student ID),\r\nDirects the user to confirm a password or personal identification number (PIN),\r\nInstructs the recipient to visit a website that is compromised by the cyber actor, or\r\nContains an attachment with malware.\r\nCyber actors also register web domains that are similar to legitimate websites in an attempt to capture individuals\r\nwho mistype URLs or click on similar looking URLs. These types of attacks are referred to as domain spoofing or\r\nhomograph attacks. For example, a user wanting to access www.cottoncandyschool.edu could mistakenly click\r\non www.cottencandyschool.edu (changed “ o ” to an “ e ”) or www.cottoncandyschoo1.edu (changed letter\r\n“ l ” to a number “1”) (Note: this is a fictitious example to demonstrate how a user can mistakenly click and\r\naccess a website without noticing subtle changes in website URLs). Victims believe they are on a legitimate\r\nwebsite when, in reality, they are visiting a site controlled by a cyber actor.\r\nTechnology Vulnerabilities and Student Data\r\nWhether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for\r\nschools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools\r\nvulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may\r\nhave lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp\r\nusership growth in—these distance learning services and student data as lucrative targets.\r\nOpen/Exposed Ports\r\nThe FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop\r\nProtocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For\r\nexample, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network\r\naccess. They are then positioned to move laterally throughout a network (often using SMB), escalate privileges,\r\naccess and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular\r\nattack vector allows cyber actors to maintain a low profile, as they are using a legitimate network service that\r\nprovides them with the same functionality as any other remote user.\r\nEnd-of-Life Software\r\nEnd-of-Life (EOL) software is regularly exploited by cyber actors—often to gain initial access, deface websites,\r\nor further their reach in a network. Once a product reaches EOL, customers no longer receive security updates,\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nPage 3 of 8\n\ntechnical support, or bug fixes. Unpatched and vulnerable servers are likely to be exploited by cyber actors,\r\nhindering an organization’s operational capacity.\r\nMitigations\r\nPlans and Policies\r\nThe FBI and CISA encourage educational providers to maintain business continuity plans—the practice of\r\nexecuting essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions.\r\nWithout planning, provision, and implementation of continuity principles, institutions may be unable to continue\r\nteaching and administrative operations. Evaluating continuity and capability will help identify potential\r\noperational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity\r\nprogram that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA\r\nsuggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and\r\nbusiness continuity plans to ensure they address current threats posed by cyber actors.\r\nNetwork Best Practices\r\nPatch operating systems, software, and firmware as soon as manufacturers release updates.\r\nCheck configurations for every operating system version for educational institution-owned assets to\r\nprevent issues from arising that local users are unable to fix due to having local administration disabled.\r\nRegularly change passwords to network systems and accounts and avoid reusing passwords for different\r\naccounts.\r\nUse multi-factor authentication where possible.\r\nDisable unused remote access/RDP ports and monitor remote access/RDP logs.\r\nImplement application and remote access allow listing to only allow systems to execute programs known\r\nand permitted by the established security policy.\r\nAudit user accounts with administrative privileges and configure access controls with least privilege in\r\nmind.\r\nAudit logs to ensure new accounts are legitimate.\r\nScan for open or listening ports and mediate those that are not needed.\r\nIdentify critical assets such as student database servers and distance learning infrastructure; create backups\r\nof these systems and house the backups offline from the network.\r\nImplement network segmentation. Sensitive data should not reside on the same server and network\r\nsegment as the email environment.\r\nSet antivirus and anti-malware solutions to automatically update; conduct regular scans.\r\nUser Awareness Best Practices\r\nFocus on awareness and training. Because end users are targeted, make employees and students aware of\r\nthe threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide\r\nusers training on information security principles and techniques as well as overall emerging cybersecurity\r\nrisks and vulnerabilities.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nPage 4 of 8\n\nEnsure employees know who to contact when they see suspicious activity or when they believe they have\r\nbeen a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be\r\nemployed quickly and efficiently.\r\nMonitor privacy settings and information available on social networking sites.\r\nRansomware Best Practices\r\nThe FBI and CISA do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may\r\nalso embolden adversaries to target additional organizations, encourage other criminal actors to engage in the\r\ndistribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization\r\ndecided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing\r\nso provides the FBI with the critical information they need to prevent future attacks by identifying and tracking\r\nransomware attackers and holding them accountable under U.S. law.\r\nIn addition to implementing the above network best practices, the FBI and CISA also recommend the following:\r\nRegularly back up data, air gap, and password protect backup copies offline.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, secure location.\r\nDenial-of-Service Best Practices\r\nConsider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects\r\ntraffic away from your network.\r\nCreate a partnership with your local internet service provider (ISP) prior to an event and work with your\r\nISP to control network traffic attacking your network during an event.\r\nConfigure network firewalls to block unauthorized IP addresses and disable port forwarding.\r\nVideo-Conferencing Best Practices\r\nEnsure participants use the most updated version of remote access/meeting applications.\r\nRequire passwords for session access.\r\nEncourage students to avoid sharing passwords or meeting codes.\r\nEstablish a vetting process to identify participants as they arrive, such as a waiting room.\r\nEstablish policies to require participants to sign in using true names rather than aliases.\r\nEnsure only the host controls screensharing privileges.\r\nImplement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host\r\nfrom exiting prior to the departure of all participants.\r\nEdtech Implementation Considerations\r\nWhen partnering with third-party and edtech services to support distance learning, educational institutions\r\nshould consider the following:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nPage 5 of 8\n\nThe service provider’s cybersecurity policies and response plan in the event of a breach and their\r\nremediation practices:\r\nHow did the service provider resolve past cyber incidents? How did their cybersecurity practices\r\nchange after these incidents?\r\nThe provider’s data security practices for their products and services (e.g., data encryption in transit and at\r\nrest, security audits, security training of staff, audit logs);\r\nThe provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or\r\nthird-party services);\r\nTypes of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric,\r\nIP addresses);\r\nEntities to whom the provider will grant access to the student data (e.g., vendors);\r\nHow the provider will use student data (e.g., will they sell it to—or share it with—third parties for service\r\nenhancement, new product development, studies, marketing/advertising?);\r\nThe provider’s de-identification practices for student data; and\r\nThe provider’s policies on data retention and deletion.\r\nMalware Defense\r\nTable 1 identifies CISA-created Snort signatures, which have been successfully used to detect and defend against\r\nrelated attacks, for the malware variants listed below. Note: the listing is not fully comprehensive and should not\r\nbe used at the exclusion of other detection methods.\r\nTable 1: Malware signatures\r\nMalware Signature\r\nNanoCore\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"NANOCORE:HTTP GET URI contains\r\n'FAD00979338'\"; sid:00000000; rev:1; flow:established,to_server; content:\"GET\";\r\nhttp_method; content:\"getPluginName.php?PluginID=FAD00979338\"; fast_pattern;\r\nhttp_uri; classtype:http-uri; metadata:service http;)\r\nCerber\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"HTTP Client Header contains 'host|3a\r\n20|polkiuj.top'\"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,\r\n\u003cunique_ID\u003e.tagged; content:\"host|3a 20|polkiuj.top|0d 0a|\"; http_header;\r\nfast_pattern:only; flowbits:set,\u003cunique_ID\u003e.tagged; tag:session,10,packets;\r\nclasstype:http-header; metadata:service http;)\r\nKovter alert tcp any any -\u003e any $HTTP_PORTS (msg:\"Kovter:HTTP URI POST to CnC Server\";\r\nsid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,\r\n\u003cunique_ID\u003e.tagged; content:\"POST / HTTP/1.1\"; depth:15; content:\"Content-Type|3a\r\n20|application/x-www-form-urlencoded\"; http_header; depth:47; fast_pattern;\r\ncontent:\"User-Agent|3a 20|Mozilla/\"; http_header; content:!\"LOADCURRENCY\"; nocase;\r\ncontent:!\"Accept\"; http_header; content:!\"Referer|3a|\"; http_header;\r\ncontent:!\"Cookie|3a|\"; nocase; http_header; pcre:\"/^(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-https://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nPage 6 of 8\n\nMalware Signature\r\nz0-9+\\/]{2}==|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{4})$/P\"; pcre:\"/User-Agent\\x3a[^\\r\\n]+\\r\\nHost\\x3a\\x20(?:\\d{1,3}\\.){3}\\d{1,3}\\r\\nContent-Length\\x3a\\x20[1-\r\n5][0-9]{2,3}\\r\\n(?:Cache-Control|Pragma)\\x3a[^\\r\\n]+\\r\\n(?:\\r\\n)?$/H\"; flowbits:set,\r\n\u003cunique_ID\u003e.tagged; tag:session,10,packets; classtype:nonstd-tcp; metadata:service\r\nhttp;)\r\nDridex\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"HTTP URI GET contains\r\n'invoice_########.doc' (DRIDEX)\"; sid:00000000; rev:1; flow:established,to_server;\r\ncontent:\"invoice_\"; http_uri; fast_pattern:only; content:\".doc\"; nocase; distance:8;\r\nwithin:4; content:\"GET\"; nocase; http_method; classtype:http-uri; metadata:service\r\nhttp;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"HTTP Client Header contains 'Host|3a\r\n20|tanevengledrep ru' (DRIDEX)\"; sid:00000000; rev:1; flow:established,to_server;\r\nflowbits:isnotset,\u003cunique_ID\u003e.tagged; content:\"Host|3a 20|tanevengledrep|2e|ru|0d\r\n0a|\"; http_header; fast_pattern:only; flowbits:set,\u003cunique_ID\u003e.tagged;\r\ntag:session,10,packets; classtype:http-header; metadata:service http;)\r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following\r\ninformation regarding the incident: date, time, and location of the incident; type of activity; number of people\r\naffected; type of equipment used for the activity; the name of the submitting organization; and a designated point\r\nof contact.\r\nTo request incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.gov .\r\nResources\r\nMS-ISAC membership is open to employees or representatives from all public K-12 education entities in the\r\nUnited States. The MS-ISAC provides multiple cybersecurity services and benefits to help K-12 education entities\r\nincrease their cybersecurity posture. To join, visit https://learn.cisecurity.org/ms-isac-registration .\r\nCISA Telework Guidance and Resources\r\nCISA Cybersecurity Recommendations and Tips for Schools Using Video Conferencing\r\nCISA Ransomware Publications\r\nCISA Emergency Services Sector Continuity Planning Suite\r\nCISA-MS-ISAC Joint Ransomware Guide\r\nCISA Tip: Avoiding Social Engineering and Phishing Attacks\r\nCISA Tip: Understanding Patches\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nPage 7 of 8\n\nCISA and CYBER.ORG “Cyber Safety Video Series” for K-12 students and educators\r\nFBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations\r\nNote: contact your local FBI field office (www.fbi.gov/contact-us/field) for additional FBI products on\r\nransomware, edtech, and cybersecurity for educational institutions.\r\nRevisions\r\nInitial Version: December 10, 2020\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-345a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa20-345a"
	],
	"report_names": [
		"aa20-345a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434880,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4892ec97e210f22ccf1a25628292e5d90e51dd33.pdf",
		"text": "https://archive.orkl.eu/4892ec97e210f22ccf1a25628292e5d90e51dd33.txt",
		"img": "https://archive.orkl.eu/4892ec97e210f22ccf1a25628292e5d90e51dd33.jpg"
	}
}