Malware infected computers at a local school district this month, deleting emails and forcing the district to temporarily shut down part of its systems.
The San Ysidro School District became a local victim of malware attacks that have hit school districts from Maryland to Montana this year. The cyber attack, known as ransomware, demanded roughly $19,000 in Bitcoin over the weekend of Sept. 16.This is part of inewsource’s continuing coverage of the San Ysidro school district:
- Homeless emergency in San Ysidro schools escalates with grant loss
- Agencies boost San Ysidro School District’s bond ratings
- Grand jury finds much to criticize at San Ysidro schools
- Schools fail lead tests while many states don’t require testing at all
- Investigations continue as San Ysidro schools’ financial picture improves
Interim Superintendent Arturo Sanchez-Macias said it affected emails from Aug. 18 through Sept. 17, as well as some shared files. District officials believe no confidential student data was compromised.
The district maintained a backup of all files so there was no need to pay the ransom. The demand for money came from an automated message within the malware found by VectorUSA, a technology contractor assisting the district.
Todd Lewis, San Ysidro’s director of technology, said the district had restored backups and was in the process of checking each workstation computer to make sure they are virus-free.
“At this point we’re in a pretty good place,” Lewis said on Tuesday. “We’re just being very safe and very cautious as we want to make sure it’s off all the workstations before we open up connectivity.”
Lewis said VectorUSA is preparing a forensic report to better understand the attack. The district is also taking preventative measures, including updating its software, and testing and installing different anti-virus software programs.
The computer assault came as the district was transitioning its website and email addresses to a new domain, sysdschools.org, as well as updating some computers’ operating systems.
It also came two weeks after Superintendent Julio Fonseca resigned on Sept. 1 following allegations of improper conduct. He was accused of firing an employee for alleging an improper relationship between Fonseca and an employee the superintendent had hired. The fired employee settled a wrongful termination lawsuit with the district.
Sanchez-Macias said he could see how some people might have questions about the timing.
“It’s never the perfect timing to get a virus, but if anything you don’t want to give the perception that you’re hiding something behind a situation that is outside of your control,” he said.
A growing threat
San Ysidro’s hack is part of a growing trend of ransomware attacks against school districts throughout the country.
Earlier this year a school district in Maine paid a $1,400 ransom for its data. Hackers infiltrated four school districts in Florida, installing malware and spending three months searching for private data. A school district in South Carolina paid hackers a $10,000 ransom to unlock its data.
And earlier this month a hacker stole contact information from a Montana school district server and used it to threaten students and teachers and demanding thousands of dollars in ransom.
Adam Kujawa is the director of malware intelligence at Malwarebytes, a cybersecurity company. He said the most common way for a virus to get into a system is through a process called phishing. Users receive legitimate-seeming emails with an attachment, but when they open the attachment, they launch the virus.
In a school district with hundreds of teachers or administrators connected to the system, Kujawa said, “It’s a high likelihood that one of them may have encountered one of these phishing emails.”
Rather than stealing the data to resell, the hackers basically build a safe around the information inside a district’s own computers. They lock it and charge thousands of dollars for the combination – the encryption key – to open the safe.
“If I was a bad guy, (ransomware) is what I would invest in,” Kujawa said. Unlike identity theft, “there’s no more middleman, there’s no more need to collect information and then try to sell it to the black market.”
Jonathan Levine, the chief technology officer at Intermedia.net, a business cloud company, said even when victims pay, there’s no guarantee that the hackers will give back the data.
“There’s not a Yelp for data kidnappers,” he said. “And there’s no Better Business Bureau for organized crime.”
Kujawa said he warns clients that there’s a 50/50 chance the hackers will unlock the data even with the payment.
“Negotiate if you can and never expect to get your files back,” he said.
Sanchez-Macias said the district did not consider paying the individuals behind the ransomware that affected San Ysidro. The district’s contractor found that other victims of the same virus had paid hackers and never received a key to the data.
An ounce of prevention
Both Levine and Kujawa instead urge school districts — and any individual, company or government agency — to take steps to prevent and mitigate malware attacks.
The first step is user education, training staff to look out for potential malware.
“We run campaigns regularly to try to educate our staff on how to know if an email that you receive is really from the CEO,” Levine said. “How to know if you really should open that attachment.”
They also recommend maintaining constant backups of everything in the district.
“So that if you’re hit by ransomware on Tuesday you can go back to Monday,” Levine said. “You might lose a day’s worth of data. But at least you don’t lose all your data.”