Coral Glades High School, part of Broward County Public Schools. The $40 million ransomware attack on the district was one of a wave of cases targeting educational institutions over the last couple of weeks. (Formulanone, Public domain, via Wikimedia Commons)
The Conti ransomware gang encrypted the systems at Broward County Public Schools several weeks ago and threatened to release sensitive student, teacher and employee personal data unless the district paid an enormous $40 million ransom.
Broward County Public Schools, the nation’s sixth largest school district with an annual budget of about $4 billion, told parents about a network outage on March 7 that negatively impacted online teaching, but based on this new information, the incident was clearly much more serious.
First reported by DataBeaches.net, the hackers threatened to make public a vast trove of personal data, including the social security numbers of students, teachers and employees, addresses, dates of birth and school district financial contact information.
Broward County Public Schools Thursday released a statement saying it hired a cybersecurity firm to investigate and remediate the attack. The district also said it did not intend to pay the ransom and underscored that it was “not aware of any student or employee personal data that has been compromised as a result of the incident.”
The hackers published screenshots of a text message from mid-March between them and a district official -- evidently a negotiation for the hackers to release the files back to the district.
“The good news is that we are businessmen,” the text message from the hackers said. “We want to receive ransom for everything that needs to be kept secret, and don’t want to ruin your reputation. The amount at which we are ready to meet you and keep everything as collateral is $40,000,000.”
The district official replied: “I am... speechless. Surely this is a mistake? Are there extra zeros in that number by mistake?”
The Conti group was not kidding, although after several negotiations it reportedly lowered the ransom to $10 million.
Broward County’s case was one of several ransomware attacks that hit educational institutions in the past two weeks. The Clop ransomware gang was very active, with reported cases affecting the University of Maryland, Baltimore Campus (UMBC); the University of California, Merced; the University of Colorado; and the University of Miami. Jamie Hart, cyber threat intelligence analyst at Digital Shadows noted that these attacks were conducted by the Clop gang and were targeted as part of the Accellion FTA breach. In these cases, Hart said the Clop ransomware group did not deploy the Clop file-encrypting malware, but rather threatened to release stolen sensitive data publicly if the ransom demands were not paid.
Cybercriminals have continued to prey on educational institutions during the pandemic, especially considering the rapid shift to online learning and university employees working from home, said Timur Kovalev, chief technology officer at Untangle.
“The University of Utah was also the victim of a ransomware attack and paid over $450,000 to prevent information from being released on the dark web,” Kovalev said. “Taking another approach was Michigan State University, which despite threats to release student records and financial documents, refused to pay the ransom. While it may make sense to pay ransom in some events, it can set a bad precedent and encourage further attacks.”
Kovalev said we can expect ransomware attacks to grow more sophisticated. To protect their data, security teams should implement a next-gen firewall, train employees, segregate networks and have up-to-date back-ups.