How hackers held a district hostage for almost $10,000

“Every student in grades 5-12 has a device that’s issued to that individual for use all day, every day,” says Hucks, “and all teachers have laptops, iPads, and/or a Windows tablets for use in instruction. When we shut everything down—including our Wi-Fi and Internet access—it pretty much turned those devices into standalone pieces of equipment.”

Coming to a standstill

With all of its systems shut down, Hucks says HCS tried to pinpoint the culprit and keep it from spreading any further. By “Day One,” he says most of the district’s authentication servers and Internet access was restored across all 53 schools. “Teachers and students could at least log into the network and get online at that point,” says Hucks. With much of their instructional-based content stored in the cloud, teachers and students were able to log in, connect to the network, and use their devices for content creation, collaboration, and the consumption of digital content.

Hucks says restoring the data that teachers and students had stored on the network took more time. Word documents, PowerPoint files, Photoshop files, and other important content was stored on file servers at each of HCS’ schools and then backed up centrally. “It took a significant amount of time to restore everything from the central backup and out to all of our schools,” says Hucks. The district’s student information system (SIS) and its finance/accounting/HR system both took a few days to restore.

But that’s not the end of the story. There was still a matter of paying the ransom for the key to the rest of the encrypted data. “We had our wireless network and our authentication back up within a day, but the distributed systems that have high amounts of data—primarily our file servers and the security camera servers that are present at each school—were also hit and encrypted,” says Hucks. “For those servers, we knew that paying the ransom would get those files back and available to our end users much more quickly than restoring them from backup.”

The district decided to pay the ransom after weighing out the amount of time it would take to restore access to the files on its own, and the amount of time users would have to wait to gain access to their files. “We’re a large district with an $800 million budget, so paying $8,000 or so to get teachers’ and students’ data back in their hands quickly was a business decision,” says Hucks. “When you consider that you only have students in class 180 days out of the year, paying that sum to get everything back online quickly seems like the right thing to do.”

Jonathan Levine, CTO at Intermedia in Mountain View, Calif., says that most ransomware attacks use either email or websites to infect their “hosts.” Someone may unknowingly visit a compromised website and download the malicious code through JavaScript, for example, or double click an email with an infected attachment. And because the damage can be inflicted remotely—and the money transfer handled using mechanisms like Bitcoin—locating and prosecuting the criminals is nearly impossible.

“It’s a perfect strategy for international criminals,” says Levine, who adds that K-12 institutions could be vulnerable to ransomware because many use older equipment and operating systems. “If you’re still using Windows XP or OS Leopard—neither of which are updated by their developers—you’re probably missing out on a lot of security patches,” says Levine. “This can make your systems more susceptible to ransomware.”

‘You may miss one’

With the HCS’ ransomware attack squarely in his rear-view mirror, Hucks says his district has begun looking more carefully at areas that hackers could potentially breach. Systems like the one used by HCP’s facilities department—which only contained historical data but wasn’t being maintained or supported by its vendor—have since been reserved for internal Internet use only (versus public access). “We kept up the server,” he explains, “but had we made that server internal-only earlier, it would have prevented this attack.”

To other K-12 technology professionals worried about potential ransomware attacks, Hucks says the best defense is to be aware of both internal and external threats and ensure that any network device or server that’s accessible from the public could be a potential breach point.

“The security experts tell us to patch our systems and do our backups, and that’s good advice,” says Hucks, “but when you’re in an organization of 43,000 students, 3,800 faculty and staff, and a network that spans more than 50 locations and over 50,000 end points, you may miss one.”