He logged into his computer. A message popped up: “All your important files are encrypted!”
“I immediately freaked out,” said Mr. Brooks. “I got my team together and said we need to go and unplug every computer. We didn’t want the virus to spread any more.”
Mr. Brooks, who works in the 3,000-student Athens Independent School District, soon found himself corresponding with a cyber pirate who demanded money in return for freeing the district’s systems, which were full of personal and financial information. The district shared screenshots of the interactions with The Wall Street Journal, revealing a rare close-up look at the details of a ransomware attack.
“How would payment be made?” Mr. Brooks responded.
“BTC,” the hacker wrote, meaning bitcoin, which allows payment with no middlemen.
Schools around the U.S. are fighting a wave of increasingly aggressive ransomware attacks by hackers. The U.S. Treasury Department warned last month that ransomware attacks in general have increased during the coronavirus pandemic—and districts make an especially tempting target due to their often thinly staffed technology departments and networks full of personal data.
It’s a significant new source of stress in what’s already been a difficult year, with the pandemic forcing closures, a chaotic implementation of remote learning and complicated schedules.
Hackers have for years used ransomware, a type of malicious software, to lock up computers or files until the demanded sum was paid—but they generally left it at that for school districts. Now they are grabbing data such as addresses, phone numbers, Social Security numbers, grades and other sensitive student information to post online if payment isn’t made. The information can aid identity theft or be highly embarrassing for vulnerable young people.
“It is extortion,” said Elizabeth Clarke, spokeswoman for cybersecurity firm Armor Defense Inc. “The ransomware has gotten more heinous. To incite you to pay, they say, ‘Hey, we’ve got all the data, and we’ll be happy to post.’ ”
There is no official U.S. clearinghouse to track ransomware cases, but some cybersecurity firms, which track known incidents from news reports along with their own private cases, say they are seeing an increase in cases involving schools and colleges, which are now heavily reliant on online learning and technology to run their operations.
Based on searches of hackers’ sites on the dark web—a network of websites accessed through special software that gives users anonymity—as well as publicly known cases, the Journal has documented nearly three dozen ransomware attacks against school districts since the pandemic began in March.
That tally, affecting districts educating more than 700,000 students, doesn’t include numerous private schools, community colleges and universities that have also come under attack.
The figure underestimates the actual number of cases. Some districts switch to backup servers that escaped attacks or quietly pay ransom without ever making it public, reluctant to admit they were hacked and eager to move on, security experts say. Hackers often tell their victims not to call law enforcement.
Even those that have gone public often don’t reveal the amount of ransom paid. A tally of seven cases by the Journal found that school districts, colleges and universities have paid at least $2 million in the past 12 months, on top of the often burdensome costs of better securing their systems. Ransom amounts in those cases ranged from $35,000 to $1.14 million.
Average ransom payments across all industries have climbed in recent years, to $233,817 in the third quarter of this year from $41,198 a year earlier, according to cybersecurity firm Coveware Inc.
Security experts say that many ransomware hackers operate outside of the U.S. and are hard to capture.
On their own
Districts are often on their own when it comes to figuring out how to deal with hackers or how to keep their systems safe. In an October letter, U.S. Senators Jacky Rosen and Catherine Cortez Masto, both Nevada Democrats, asked U.S. Department of Education Secretary Betsy DeVos and Homeland Security Acting Secretary Chad Wolf to address ransomware attacks against schools and districts.
The letter cited an article in September by the Journal that revealed that hackers published student grades, employee Social Security numbers and other sensitive data from the 320,000-student Clark County School District in Las Vegas when a ransom wasn’t paid.
An attack in Ohio’s Toledo Public Schools has been especially egregious. Information posted on the hacker’s website in October includes Social Security numbers and dates of birth for students and employees, disciplinary and disability information on students, employee evaluations and exam grades. It included the identities of an eighth-grader listed as emotionally disturbed, a ninth-grader suspended for sexual activity and a roster of foster children.
As with other attacks, the hackers posted the data on the dark web.
Toledo parent Krista Wilcox is mad that her 8-year-old son could have his identity compromised, and that she found out about the release of information from media reports instead of from the district.
“My information is out there, and they could contact me,” she said. “How do I know it’s not child traffickers? I feel betrayed by the school system.”
Toledo Public Schools said in a written statement that the 23,000-student district reached out to the Federal Bureau of Investigation and contacted cybersecurity experts to determine the scope of the attack. The district is encouraging parents and guardians to monitor credit reports.
Hackers often negotiate with their victims. The Sheldon Independent School District in Houston, Texas, paid a ransom of $206,931, negotiated down from about $350,000, after an attack in March.
After payment, the 10,000-student district couldn’t recover about 10% of its files—not an unusual amount to lose in ransomware cases, security experts say. Administrators fear the hacker kept some of the district’s data, prompting them to notify parents and employees of the possibility.
Sheldon officials believe the hackers got into their system through a phishing email, meaning someone opened an email that had an attachment or link to malicious software. Hackers also enter from weak cybersecurity controls and user login information.
School districts have a steady stream of revenue in the form of tax dollars, and their reserve funds are typically open to public view.
“High revenue and low cyber security is basically an open invitation,” said a person reached through the SunCrypt hacker’s site who identified as a member of the group in a typed chat interview with the Journal on the dark web.
SunCrypt recently hacked Haywood County Schools in Waynesville, N.C., and began posting data from the district in late August. The 7,100-student district said it called in law enforcement, but declined to comment further due to a continuing federal investigation.
The person identifying as a SunCrypt member said the group asked for about $500,000 from the district—about 17% of the district’s $2.9 million general reserve fund in June.
The first information released from Haywood included administrative files, such as an employee cellphone directory and a listing of students with absences. The first dump usually contains the least sensitive information, often used as proof of the theft or a warning to pay, experts say.
The person identifying as a SunCrypt member said the group doesn’t have plans to post any more information from Haywood, saying its scouts had mistakenly thought it was a private college. They said the group has provided some entities with a “Covid-19 discount” and ended negotiations with Haywood when the district involved a third party—in this case, law enforcement.
In Athens, the hacker locked the district’s roughly 30 servers, along with backup servers, and infected hundreds of computers connected to the network, Mr. Brooks said. The attack halted student registration six days before the start of the new school year.
In the initial pop-up message, the hacker provided a link and instructions for entering the dark web. Mr. Brooks brought in help from Brent Goerner, a technology specialist at the district’s regional education service center—an organization established by the state to provide a range of support services.
Mr. Brooks followed the hacker’s instructions the next day, ending up at a chat window.
“how many pc do you need decrypted?” the hacker asked. Mr. Brooks took the question to mean: How many servers and computers would need to be unlocked by a decryption key that the hackers would give him upon receipt of payment.
Before he could respond, the hacker said, “I want for everything pc 50 000$.”
Mr. Brooks planned to negotiate the figure, but before he could start, the hacker let him know it held the decryption key for more than 200 district devices.
“see I have a very big list of keys,” the hacker said in the chat. “more than 200 pc.”
“what about if we only needed 20 PC,” Mr. Brooks asked, thinking that the district might need decryption keys for only certain servers—mainly for a critical one holding student and financial data.
“then 1 PC - 1000$,” the hacker responded.
“ok, I need to discuss with my boss,” Mr. Brooks wrote.
The hacker also told Mr. Brooks not to call police.
“they won’t let you pay and won’t help you decrypt files,” the hacker said in the chat. “and you’ll lose data for always.”
Mr. Brooks replied: “we are not talking to the police. I just need to see how we can come up with the money…We are working with you and want to decrypt our data.”
He added: “how do we know our files will not be re-encrypted once we pay you?”
The hacker said: “Yes. I’m going to remove you…and tell you where to close the holes through that we’ve penetrated.”
It’s not unusual for hackers to offer such security reports to paying victims, telling them how they got hacked. Some cybersecurity experts question the accuracy of such reports and discourage victims from paying.
“If the flow of money stops, the attacks will stop,” said Brett Callow, a threat analyst at cybersecurity firm Emsisoft, which also creates decryption tools to unlock files. “The alternative is that cybercriminals will continue to become better resourced, more motivated. It’s a vicious cycle.”
In June, the University of California, San Francisco paid a $1.14 million ransom to a hacker. The university said in a written statement that it made the decision to pay because the hacker encrypted data for important academic work, including research.
Hackers have about a 97% rate of delivering a decryption tool to victims once the ransom is paid, Coveware found. But the company recently reported that some hackers held on to data after payment, possibly selling it to other hackers or using it to re-extort the victim.
The FBI, which encourages victims to reach out to their local FBI field office, doesn’t support paying a ransom as it can embolden hackers to target others, but says it understands that organizations faced with an inability to function will evaluate all options to protect employees and customers.
A lone technology director oversees operations in the 1,250-student North Tippah School District in rural Tiplersville, Miss., which got hacked in August. “There’s not too many people I had to talk to, to say, ‘What do we do from here?’ ” said Superintendent Scott Smith, who added that the district paid no ransom but declined to say more as the matter is still being addressed.
Hackers can be in victims’ systems days or weeks, giving them time to take data before deploying ransomware, according to Emsisoft. Once they do take over, they treat it like a financial transaction, with some even referring to victims as clients.
“…it’s business,” the hacker told Mr. Brooks at the end of their conversation.
“perfect. understand,” Mr. Brooks said.
In an emergency meeting, the Athens school board approved paying $50,000 in ransom the day after the attack. The board also pushed back the new school year by a week due to the hacking. Some community members didn’t like having to pay off a hacker, but the district said it had little choice.
“No one wants to do this. It feels awful,” Athens superintendent Janie Sims said. “But it could be worse if we didn’t pay. School possibly could have been delayed many weeks. We felt we had to.”
Mr. Brooks blamed himself. “I felt like a complete and total failure,” he said. He isn’t certain how the hacker got in but believes a vendor doing work in a server left open a meeting app, giving the hacker a way into the system.
Two days after the attack, Mr. Brooks, on little sleep, placed a late-night call to Dr. Sims. He’d made a big discovery—a copy of a backup server held the data from the compromised critical server.
“I jumped up out of my chair,” Mr. Brooks said. “I was screaming, ‘Yes, yes!’”
He broke off communications with the hacker, who hadn’t mentioned posting any of the school’s data.
Mr. Brooks said engineers found no indication that information had been stolen—it looked like the hacker had just locked the servers without ever taking any data. Computer hard drives were wiped and reinstalled.
The district paid no ransom.