The Los Angeles Unified School District attack sounded alarms across the country, from urgent talks with the White House and the National Security Council after the first signs of ransomware were discovered late Saturday night to mandated password changes for 540,000 students and 70,000 district employees.
Despite the fact that the attack used technology that encrypts data and will not unlock it unless a ransom is paid, the district's superintendent stated that no immediate demand for money was made, and schools in the nation's second-largest district reopened on Tuesday as scheduled.
As a result of pandemic-forced reliance on technology, such attacks have become a growing threat to US schools, with several high-profile incidents reported since last year. In the past, ransomware gangs have planned major attacks on US holiday weekends, when they know IT staffing will be thin and security experts will be relaxing.
While it is unclear when the LA attack began — officials have only stated when it was detected, and a district spokesperson declined to answer further questions — the discovery on Saturday night reached the highest levels of the federal government's cybersecurity agencies.
This pattern of support, according to a senior administration official, was consistent with the Biden administration's efforts to provide maximum assistance to critical industries affected by such breaches.
The official, who spoke on the condition of anonymity to discuss the federal response, stated that the school district did not pay the ransom, but would not go into detail about what was potentially stolen or damaged, or what systems were affected by the breach.
The White House's reaction to the incursion in Los Angeles reflects a growing national security concern: According to a recent Pew Research Center poll, 71% of Americans believe cyberattacks from other countries pose a significant threat to the United States.
Authorities believe the LA attack was carried out on a global scale and have identified three potential countries where it could have originated, though LA Superintendent Alberto Carvalho refused to specify which countries may have been involved. The majority of ransomware criminals are Russian speakers who operate independently of the Kremlin.
The ransomware used was not identified by LA officials.
"This was a cowardly act," said Nick Melvoin, vice president of the school board. "A criminal act against children, teachers, and the educational system."
According to Brett Callow, a ransomware analyst at the cybersecurity firm Emsisoft, 26 U.S. school districts, including Los Angeles, and 24 colleges and universities have been hit by ransomware this year.
With victims increasingly refusing to pay to have their data unlocked, many cybercriminals are instead stealing sensitive information and demanding extortion payments. If the victim does not pay, the data is uploaded to the internet.
Callow stated that at least 31 of the schools targeted this year had data stolen and released online, and that eight of the school districts were targeted since August 1. The increase in school enrollment as summer vacations end is almost certainly not coincidental, he claims.
"It is the number one threat to our safety," said Los Angeles Police Chief Michel Moore. "It is an impenetrable foe who never sleeps."
Tireless — and expensive, even when no monetary demands are made. In January, schools in Albuquerque's largest school district were forced to close for two days due to a ransomware extortion attack, while Baltimore City's response to a 2019 cyberattack on its computer servers cost upwards of $18 million.
The LA attack was discovered around 10:30 p.m. Saturday when staff noticed "unusual activity," according to Carvalho. The perpetrators appear to have targeted the facilities systems, which contain information about private-sector contractor payments, which are publicly available through records requests, rather than confidential details such as payroll, health, and other data.
He claimed that district IT officials detected the malware and stopped it from spreading, but only after it infected key network systems, necessitating password resets for all staff and students.
Authorities rushed to find the intruders and limit any potential damage.
"We basically shut down every one of our systems," Carvalho said, adding that each had been checked and that all but one — the facilities system — had been restarted by late Monday night, when the district first informed the public of the hit.
Separately, federal authorities warned of potential ransomware attacks by the criminal syndicate known as Vice Society, which has allegedly targeted the education sector disproportionately.
Authorities have not stated whether they believe Vice Society is responsible for the Los Angeles attack, and the group did not respond to a request for comment on Tuesday.
"The fact that a joint cybersecurity advisory relating to Vice Society was issued within days of the LAUSD attack being discovered may be telling, especially given that this gang has frequently targeted the education sector in both the United States and the United Kingdom," Callow, the ransomware expert, said.
According to security researchers, Vice Society first appeared in May 2021 and, rather than a unique variant, it used ransomware widely available in the Russian-speaking underground. Vice Society has named the Elmbrook School District in Wisconsin and the Savannah College of Art and Design as victims.
Ransomware gangs routinely disband after high-profile attacks like last year's Colonial Pipeline incident, which caused gas station runs. Their members then re-form under new names.
While officials in Los Angeles were under pressure to cancel classes on Tuesday, they ultimately decided to keep them open.
Carvalho believes there could have been "catastrophic" consequences if the activity had not been discovered on Saturday night.
"If we had lost the ability to operate our school buses, over 40,000 of our students would not have been able to get to school, or the system would have been severely disrupted," he explained.
The district intends to conduct a forensic investigation into the attack to determine what can be done to prevent future incursions.
"Every teacher, every employee, every student can be a weak point," said Soheil Katal, chief information officer for the district.