K-12 schools are throughout our landscape in small towns and large cities. The number of students vary per region, requiring small buildings or one large enough for a medium-sized business. They may be located on short, two-lane roads or primary thorough-fares. When we drive by these, we know they are educational facilities teaching the next generation. While the primary focus is the same for these institutions, there is another commonality. These have some form, be it rudimentary or complex, of a network holding a mass amount of data, managing operations where needed, and facilitating email communications. One issue with these networks has been cybersecurity. With constricting budgets, it has become tough to get everything done as planned.
One such school is Wolcott Public Schools. The school system, located in Connecticut was attacked successfully. The attackers naturally had a full array of tools available to use. They chose an all too familiar one, which has proven to be very effective. Their system was compromised with ransomware. The use of ransomware has proven itself over the last two years to be an epidemic. The attack started in May 2019, at the end of the school year. They, in vain, attempted to manage this issue internally. Ransomware, with select tools, may be able to be removed by the target. This is with very few cases with the early variants, which may still be in use. This issue came to a tipping point and needed to be brought in front of the town officials when they were not able to correct the issue.
The successful attack had deep rooted effects on the school. If this affected one user’s station, there would be a much different case. They were forced to lock down several servers. While these were locked down, they were not able to access or work with any of the data secured on these. Fortunately, a portion of the files were located in other locations as back-ups. While this sounds unpleasant, analyze through all of the learning activities that could not occur as the files were encrypted. On the bright side, no student data was compromised.
This was a rather significant issue. Having data tied up and not usable is problematic for anyone. With the school district, there are timelines involved with reporting data to the state and possible federal agencies. Post-detection, the school district did contact the FBI after the ransomware. The focus with this, naturally, was who was behind the ransomware attack.
As noted, the affected systems were shut down for all purposes. Once the school IT work group decided they were not going to be able to fix the issue, they consulted with the Wolcott Board of Education. The risks and benefits of paying the ransom were discussed and debated. The Board of Education approved the ransomware payment by a vote of 6 to 1. The hope was to secure the decrypt key. The amount noted for the payment was up to the amount the town charter would allow, or $9,999. This was the ceiling amount. An amount greater than this would require a bidding process, and an extended amount of time, which is something they did not have. Without the ransom being paid and the decrypt key being provided, a portion of the middle and high school files would not be usable in any form. In this incident, of the schools in the district, the high school, middle school, and central office only had a back-up server.
Comments & Concerns
Ransomware has become an epidemic. This has become a massive issue across many industries. Any business connected to the internet is susceptible to this. One fact not covered in the publications is the method of infiltration. This may have been an employee clicking on a link or file, inviting the malware in through the front door, and allowing it to scurry about in the network. Ransomware training is a necessity in this day. The employees need to know what to look for as a constant reminder. In the case of an individual oversight, which generally is a detriment to such a significant level, the employees need to know what to do.
Backus, L. (2019, August 30). FBI probes hacking of CT school’s computer. Retrieved from https://www.ctpost.com/local/article/FBI-probles-hacking-of-CT-school-s-scomputers-14401437.php
Data Breaches. (2019, August 30). Cyber attack affects Wolcott public schools. Retrieved from https://www.wfsb.com/news/cyber-attack-affects-colcott-public-schools/
WFSB. (2019, August 30). Cyber attack affects Wolcott public schools. Retrieved from https://www.wfsb.com/news/cyber-attack-affects-wolcott-public-schools/
Johnson, K. (2019, August 28). Ransomware attack targets Wolcott public schools. Retrieved from https://www.nbcconnectictu.com/news/local/Ransomware-attack-targets-wolcott-public-schools-558610611.html
Passmore, S. (2019, August 30). Board passes motion to allow Wolcott superintendent to pay ransom after cyber attack. Retrieved from https://www.weny.com/story/40985421/board-passes-motion-to-allow-wolcott-superintendent-to-pay-ransom-after-cyber-attack
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!