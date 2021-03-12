Buffalo Public Schools is the latest victim in a growing number of cyberattacks targeting school districts across the U.S. at a time when they’re most vulnerable.
The school district disclosed late Friday afternoon that it was a victim of a ransomware attack, after canceling all remote classes earlier in the day “due to an unanticipated interruption to BPD District network systems.”
Ransomware is a malicious software that, in general, blocks access to the user’s computer system until a ransom is paid.
Myra Burden, the district's chief technology officer, said in a memo that "at this time, no demands have been made; however, the FBI has found out that ransom may be between $100-300K and could be negotiable."
Superintendent Kriner Cash approved an emergency contract with GreyCastle Security, a cybersecurity service, to help in the investigation. The FBI is assisting.
It was unclear if personal information was stolen from the district's networks or how this might impact remote and in-person learning at city schools next week. The second phase of reopening is expected to start Monday, when another 5,000 students are scheduled to return to the classroom.
District officials called a news conference for Friday evening to provide more details.
"We anticipate knowing the scope of the problem, the extent of the work required to address the problem, and the time frame to return services to normal over the next few days," Burden said in the memo. "I will continue to update accordingly throughout the weekend as we make progress on this critical project."
Federal agencies in December warned K-12 schools that ransomware attacks, the theft of data and the disruption of distance learning services have been on rise since the start of the school year, as districts have relied more and more on technology and online learning during the Covid-19 pandemic.
An advisory, issued by the FBI, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, noted that from January through July, 28% of all reported ransomware cases involved K-12 schools. In August and September, 57% involved schools.
“Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year,” the agencies warned.
“These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments,” the advisory said.
For example, the day before Thanksgiving, a ransomware attack hit the network systems of the Baltimore County Public Schools, shutting down school for a few days for 115,000 students attending classes remotely, according to the Baltimore Sun.
Meanwhile, personal data also was stolen from the Toledo Public Schools, including Social Security numbers, employee evaluations, exam grades and dates of birth for students and employees, the Wall Street Journal reported in November.
The newspaper also reported that Sheldon Independent School District in Houston, Texas, paid a ransom of more than $200,000 after an attack last March.
The FBI and Cybersecurity and Infrastructure Security Agency do not recommend paying ransoms.
“Payment does not guarantee files will be recovered,” the agencies said in their December briefing. "It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Locally, Erie County Medical Center was hacked by cyber extortionists who took down 6,000 computers in April of 2017.
A ransom demand appeared on hospital computer screens that sought 24 bitcoins, a digital currency that was valued at about $1,215 per bitcoin at that time, totaling nearly $30,000 to unlock the medical center's system.
ECMC didn't pay the ransom, a decision recommended by security experts and law enforcement authorities.
But ECMC officials estimated expenses tied to the incident were nearly $10 million. Roughly half of that was for computer hardware, software and assistance needed in the response. The other half represented an increase in expenses, such as staff overtime, and lower revenues from the loss of business during the system down time.
It also was a big wakeup call for institutions across the entire community when it came to the need to invest in cybersecurity.
Maki Becker