Skip To Content

LockBit 3.0 Ransomware Targets Schools

News Update

Risk Alert

A recent Texas Department of Information Resources (DIR) bulletin noted a significant increase in ransomware attacks against school districts and other local government entities. These attacks are associated with a ransomware variant called LockBit 3.0. LockBit has been a major player in the ransomware universe since late 2019. Like most ransomware, LockBit has evolved to include “double extortion.”

Double Extortion Raises the Stakes

Ransomware attacks have traditionally focused on denying an organization access to its critical files. When employees tried to access a shared drive or a saved file, they found the information encrypted, or locked. Cybercriminals would then demand a ransom for the decryption key to regain access to those files.

As organizations realized that viable, off-site, or offline backups go a long way in protecting against ransomware, hackers adapted. Now, they not only encrypt your critical files but also steal that data and threaten to leak it on the internet and social media. Basically, they threaten to destroy an organization’s reputation as a trusted steward of sensitive data. 

How LockBit Ransomware Works

Like many of its ransomware predecessors, LockBit constantly evolves to stay effective. The current version—LockBit 3.0—includes double extortion in its attack strategy. It’s also easy to access in the form of Malware as a Service (MAAS).

MAAS is popular among hackers who lack the skills to create malware or launch malware attacks. They can simply visit the Dark Web and pay a fee. From there, an expert will deploy LockBit onto your network for them.

Prevention Measures

Ransomware has evolved to include threats beyond encrypting files, so backups aren’t the universal solution they once were. So, how can districts protect against the increasingly dangerous LockBit 3.0 variant? DIR suggests these preventative measures.

Invest in Multi-Factor Authentication (MFA)

For a ransomware attack to succeed, it must first penetrate your network. Implementing MFA can go a long way toward protecting your network and your users from criminals. MFA is simple. 

It requires you to enter more than just your basic password to access the network. It could be something you have (a token or code-generating keychain), something you know (a secondary password or security question), or something you are (biometric dongles or fingerprint scanners). MFA is also inexpensive. Your district’s operating system likely has an MFA option that just needs to be activated and correctly configured.

Use Passphrases

Traditional password recommendations called for a variety of alphanumeric passwords with alternating uppercase and lowercase letters as well as special characters. Security researchers have since found that password length is more important than character variety. Experts now recommend long “passphrases.” These could be full sentences with a special meaning to each user that are easy to remember and difficult to break.

Limit Administrative Privileges

Too often, more users have administrative privilege (permission) in a network than should, and privilege escalation is the first thing malicious actors want to achieve when they penetrate a network. When IT staff needs to make a repair, install new software, or deliver other support to a user, it is convenient to grant local administrative privilege. That privilege often remains long after it should. 

Administrators need to frequently audit their network to determine who has local, system, or global administrative privilege. Those who do not need that privilege should be reset to normal user status immediately. If many of your base users have privileged access, criminals’ job is that much easier.

Don’t Be an Easy Target

Ransomware, like other malicious software, will continue to evolve its methods and enhance its sophistication. There is no sure-fire way to protect your system, but data shows that criminals prefer easy targets. If you follow these recommendations, you can strengthen your defenses and make your organization a less-attractive mark.

Remember that humans are often cybercriminals’ first target. A cybersecurity awareness training program will improve your staff’s ability to recognize a potential attack.

Any organization can use these free cybersecurity resources published by federal and state entities. Fund members with Cybersecurity coverage have access to our 60-minute, on-demand webinar: Don’t Let Criminals Hold Your Network Hostage (login required).

Have Cybersecurity Questions?

Members with Privacy and Information Security coverage can request training and support from our Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or

Lucas Anderson headshot
Lucas Anderson
Privacy and Cyber Risk Consultant

Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance. 

Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties. 

Get the Inside Scoop

Want to receive our newsletter and training emails? Sign up to get the latest risk management information that will help you succeed.