District suffers ransomware attack
February 14, 2020
Los Altos is reeling from the effects of a district-wide ransomware attack. The malware locked teachers out of computers and Google accounts, corrupted files, enabled fraudulent charges to credit cards and shut down the internet phone systems. The MVLA School District claims that no student data was harmed.
“The attack is the latest in what has been an unfortunate trend of such attacks on school districts across the country,” Superintendent Nellie Meyer wrote in a letter to district families.
Ransomware is any malware that holds a victim’s data and information for a ransom. The district supposedly hasn’t yet engaged with the attackers and is unsure of the value of the ransom that’s being demanded. Regardless, the district remains unsure if it will pay the demanded ransom.
The district’s IT department is now working with a cybersecurity team from Kroll, a corporate investigations and risk consulting firm. This outside aid comes as a part of an insurance plan that the district has had for the past three years. The Kroll team won’t remove the ransomware itself; rather, the cybersecurity specialists will analyze the threat for the sake of future preventative measures. The district is unsure of how it’ll remove the ransomware.
“The first thing we learned from Kroll is that we are not to engage with the ransomware notes,” IT Director Bob Fishtrom said. “That is Kroll’s job. If we were to respond or validate the notes we have received, we’re on a timeframe to respond to the attackers.”
The IT department has implemented a tool called “Carbon black” on machines and servers across the district. Carbon black is a form of endpoint security software, which monitors endpoints on a network. Endpoints are devices like mobile phones or laptops which connect to a network and are possible points of entry for attackers.
“Carbon black protects the machine from any malware and also sends diagnostic and forensic information back to Kroll for further review,” Fishtrom said. “This will help us learn more about this cybersecurity incident—where it came from, what caused it, etcetera.”
The cybersecurity company CoveWare says that there is no common method of recovering data without a key and decryptor from the hacker, which are generally received after the ransom is paid. Once the decryptor tool is received, however, it is relatively straightforward to use and has a high success rate.
Currently, Fishtrom and the Kroll team think that no personal data from faculty members was compromised, although this has yet to be confirmed.
However, there are reports of teachers finding fraudulent charges to their personal Amazon accounts in late December of last year, some of which were linked to their school emails. These findings are still being investigated by the forensics team at Kroll, and have been neither confirmed nor denied.
The particular strain of ransomware that has infected the district is referred to as “Sodinokibi.” According to cybersecurity expert Michael Fehl, Sodinokibi usually breaches systems through a phishing email containing a malicious link. The Kroll team is still investigating how the attackers gained access to the network.
On the morning of the attack, the IT department sent out an email advising staff members what to do.
“Please do not click on any email attachments from senders unfamiliar to you,” the email read. “Do not respond to any messages indicating that your files have been encrypted, and do not click on any .txt file associated with a notification of this nature.”
The district appears to be following the typical protocol for responding to a ransomware attack. According to Fehl, some of the major steps in the process include powering down and disconnecting systems, finding breached systems and data, updating user credentials as necessary, wiping systems and creating a report regarding the nature and extent of the incident. Of these, the district has done all but wipe the systems and create a report.
Fishtrom does not know when Kroll will complete the report, but he and his team continue to have daily check-ins with the investigators.
Similar ransomware attacks have recently been carried out against other school districts throughout the country. In California, Tulare Joint Union High School District (TJUHSD) and San Bernardino City Unified School District (SBCUSD) suffered from such attacks.
TJUHSD was hit by a ransomware attack in December 2019 that targeted administrative and financial accounts. According to Assistant Superintendent of TJUHSD Lucy VanSycoc, the virus originated from staff members opening an email and accessing an infected PDF. In this case, the viruses used were Emotet, Trickbot and Ryuk.
“We did not pay the ransom,” VanSyoc said. “However, this did affect our server space and our team did have to rebuild the affected servers.”
SBCUSD experienced an attack in October 2019 that targeted computer servers and, briefly, the phone systems for one department. District Communications Officer Maria Garcia said that the response was intense because every computer had to be scanned for viruses. SBCUSD’s attack did have a larger scope, with 10,000 employees and 50,000 students; MVLA has around 400 employees and 4,400 students.
“Our Information Technology Department deployed staff around the clock to bring back the most ‘mission critical’ systems,” Garcia said. “Fortunately, student data is stored by an independent company and computer servers containing that information were not impacted because they are not part of the District’s network.”
According to Fishtrom, the MVLA student information system is hosted on the cloud, not in a server at a district location. This may have been part of the reason that MVLA student data was not compromised.
To prevent similar attacks in the future, Fishtrom plans on enforcing multi-factor authentication to secure the network and its use. The IT department also plans on purchasing and installing the best endpoint protection—like Carbon Black—across devices in the district. Additionally, part of the solution is educating people on the best ways to protect data.
“This is an opportune time for users to start understanding ‘best practices,’ such as not storing a password in your browser and having more sophisticated passwords in general,” Fishtrom said.