Ransomware, Threat Management, Incident Response, Threat Management

Los Angeles school district to remain open despite ransomware attack

A yellow school bus is parked by a school in Los Angeles.
School bus parked by the school in Los Angeles, California. The Los Angeles Unified School District – the second largest school district in the country – is reporting it has been victimized in a ransomware attack.

The Los Angeles Unified School District, the second largest school district in the country, is reporting it has been victimized in a ransomware attack.

In an announcement posted on its website, the district said it detected “unusual activity” in its IT network over the Labor Day weekend, affecting access to email, computer systems and software applications. So far, officials said they do not believe the attack impacted employee healthcare or payroll records or any safety or emergency mechanisms in place at schools across the district.

The LAUSD does not plan to shut down any schools or cancel classes in the immediate aftermath, though food services and other operations may experience disruptions. Hotlines have been established to keep parents and employees updated on any changes to that plan. Students, teachers and other employees are also being queued up for a mass password reset today.

“Despite this significant disruption to our system’s infrastructure, schools will open on Tuesday, September 6 as scheduled,” the district said in a notice. “We are working collaboratively with our partners to address any and all impacted services. While we do not expect major technical issues that will prevent Los Angeles Unified from providing instruction and transportation, food or Beyond the Bell services, business operations may be delayed or modified.”

An initial review determined the incident was an ongoing ransomware infection and “likely criminal in nature” and school officials have been working with the White House and federal agencies, including the Department of Education, the FBI and the Cybersecurity and Infrastructure Security Agency on incident response and other activities. The district also said those agencies are assisting with forensic review of affected systems and devices.

SC Media has reached out to all three agencies for more information on the resources deployed. In a statement, CISA executive assistant director Eric Goldstein confirmed that his agency is assisting in the response and commended the LA school district for their speedy outreach.

"LAUSD took swift action to report this incident to federal agencies, collaborate with key partners to mitigate further risk, and communicate transparently – all key steps for effective response to cybersecurity incidents," said Goldstein. "We encourage all organizations, including educational institutions, to visit stopransomware.gov for additional guidance on managing this ongoing threat.”

The school district also laid out additional plans to deploy dedicated IT staff to schools to address technical issues, direct “any necessary funding” to support IT officials in the recovery, implement mandatory cybersecurity trainings for staff and convene an advisory council and IT task force charged with developing recommendations for managing the fallout.

The LAUSD has over 633,000 enrolled students and is the largest school system known to be hit by ransomware. According to Emsisoft analyst Brett Callow, who tracks attacks by sector, it represents the 50th education entity infected with ransomware this year alone, including 26 universities and 24 school districts covering more than 1,727 schools.

Cybersecurity experts say ransomware operators often time their attacks on school districts to coincide with the start of the school year in order to cause maximum disruption and increase pressure on school officials to pay.

The Los Angeles Unified School District is the second largest district int the nation and the largest to confirm a ransomware attack. (Source: Census.gov)
The Los Angeles Unified School District is the second largest district int the nation and the largest to confirm a ransomware attack. (Source: Census.gov)
Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.