MESSAGE
| DATE | 2020-11-13 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [Hangout - NYLXS] Congradulations - Now every child is a Google
|
https://www.wsj.com/articles/my-information-is-out-there-hackers-escalate-ransomware-attacks-on-schools-11605279160?mod=hp_lead_pos5
wsj.com
‘My Information Is Out There.’ Hackers Escalate Ransomware Attacks on
Schools
Tawnell D. Hobbs | Photographs by Justin Clemons for The Wall Street
Journall
14-18 minutes
Just as school was to start this semester, technology chief Tony Brooks
rushed to his office in Athens, Texas. Colleagues said they were unable
to access the school district’s network.
He logged into his computer. A message popped up: “All your important
files are encrypted!”
“I immediately freaked out,” said Mr. Brooks. “I got my team together
and said we need to go and unplug every computer. We didn’t want the
virus to spread any more.”
Mr. Brooks, who works in the 3,000-student Athens Independent School
District, soon found himself corresponding with a cyber pirate who
demanded money in return for freeing the district’s systems, which were
full of personal and financial information. The district shared
screenshots of the interactions with The Wall Street Journal, revealing
a rare close-up look at the details of a ransomware attack.
“How would payment be made?” Mr. Brooks responded.
“BTC,” the hacker wrote, meaning bitcoin, which allows payment with no
middlemen.
Schools around the U.S. are fighting a wave of increasingly aggressive
ransomware attacks by hackers. The U.S. Treasury Department warned last
month that ransomware attacks in general have increased during the
coronavirus pandemic—and districts make an especially tempting target
due to their often thinly staffed technology departments and networks
full of personal data.
It’s a significant new source of stress in what’s already been a
difficult year, with the pandemic forcing closures, a chaotic
implementation of remote learning and complicated schedules.
Hackers have for years used ransomware, a type of malicious software, to
lock up computers or files until the demanded sum was paid—but they
generally left it at that for school districts. Now they are grabbing
data such as addresses, phone numbers, Social Security numbers, grades
and other sensitive student information to post online if payment isn’t
made. The information can aid identity theft or be highly embarrassing
for vulnerable young people.
“It is extortion,” said Elizabeth Clarke, spokeswoman for cybersecurity
firm Armor Defense Inc. “The ransomware has gotten more heinous. To
incite you to pay, they say, ‘Hey, we’ve got all the data, and we’ll be
happy to post.’ ”
A server room at Athens High School.
There is no official U.S. clearinghouse to track ransomware cases, but
some cybersecurity firms, which track known incidents from news reports
along with their own private cases, say they are seeing an increase in
cases involving schools and colleges, which are now heavily reliant on
online learning and technology to run their operations.
Based on searches of hackers’ sites on the dark web—a network of
websites accessed through special software that gives users anonymity—as
well as publicly known cases, the Journal has documented nearly three
dozen ransomware attacks against school districts since the pandemic
began in March.
That tally, affecting districts educating more than 700,000 students,
doesn’t include numerous private schools, community colleges and
universities that have also come under attack.
The figure underestimates the actual number of cases. Some districts
switch to backup servers that escaped attacks or quietly pay ransom
without ever making it public, reluctant to admit they were hacked and
eager to move on, security experts say. Hackers often tell their victims
not to call law enforcement.
Even those that have gone public often don’t reveal the amount of ransom
paid. A tally of seven cases by the Journal found that school districts,
colleges and universities have paid at least $2 million in the past 12
months, on top of the often burdensome costs of better securing their
systems. Ransom amounts in those cases ranged from $35,000 to $1.14 million.
Average ransom payments across all industries have climbed in recent
years, to $233,817 in the third quarter of this year from $41,198 a year
earlier, according to cybersecurity firm Coveware Inc.
Security experts say that many ransomware hackers operate outside of the
U.S. and are hard to capture.
On their own
Districts are often on their own when it comes to figuring out how to
deal with hackers or how to keep their systems safe. In an October
letter, U.S. Senators Jacky Rosen and Catherine Cortez Masto, both
Nevada Democrats, asked U.S. Department of Education Secretary Betsy
DeVos and Homeland Security Acting Secretary Chad Wolf to address
ransomware attacks against schools and districts.
The letter cited an article in September by the Journal that revealed
that hackers published student grades, employee Social Security numbers
and other sensitive data from the 320,000-student Clark County School
District in Las Vegas when a ransom wasn’t paid.
SHARE YOUR THOUGHTS
What should be done to minimize school districts’ vulnerability to
hackers? Join the conversation below.
An attack in Ohio’s Toledo Public Schools has been especially egregious.
Information posted on the hacker’s website in October includes Social
Security numbers and dates of birth for students and employees,
disciplinary and disability information on students, employee
evaluations and exam grades. It included the identities of an
eighth-grader listed as emotionally disturbed, a ninth-grader suspended
for sexual activity and a roster of foster children.
As with other attacks, the hackers posted the data on the dark web.
Toledo parent Krista Wilcox is mad that her 8-year-old son could have
his identity compromised, and that she found out about the release of
information from media reports instead of from the district.
“My information is out there, and they could contact me,” she said. “How
do I know it’s not child traffickers? I feel betrayed by the school system.”
Toledo Public Schools said in a written statement that the
23,000-student district reached out to the Federal Bureau of
Investigation and contacted cybersecurity experts to determine the scope
of the attack. The district is encouraging parents and guardians to
monitor credit reports.
Hackers often negotiate with their victims. The Sheldon Independent
School District in Houston, Texas, paid a ransom of $206,931, negotiated
down from about $350,000, after an attack in March.
After payment, the 10,000-student district couldn’t recover about 10% of
its files—not an unusual amount to lose in ransomware cases, security
experts say. Administrators fear the hacker kept some of the district’s
data, prompting them to notify parents and employees of the possibility.
Sheldon officials believe the hackers got into their system through a
phishing email, meaning someone opened an email that had an attachment
or link to malicious software. Hackers also enter from weak
cybersecurity controls and user login information.
‘School possibly could have been delayed many weeks,’ says Athens
Superintendent Janie Sims.
School districts have a steady stream of revenue in the form of tax
dollars, and their reserve funds are typically open to public view.
“High revenue and low cyber security is basically an open invitation,”
said a person reached through the SunCrypt hacker’s site who identified
as a member of the group in a typed chat interview with the Journal on
the dark web.
SunCrypt recently hacked Haywood County Schools in Waynesville, N.C.,
and began posting data from the district in late August. The
7,100-student district said it called in law enforcement, but declined
to comment further due to a continuing federal investigation.
The person identifying as a SunCrypt member said the group asked for
about $500,000 from the district—about 17% of the district’s $2.9
million general reserve fund in June.
The first information released from Haywood included administrative
files, such as an employee cellphone directory and a listing of students
with absences. The first dump usually contains the least sensitive
information, often used as proof of the theft or a warning to pay,
experts say.
The person identifying as a SunCrypt member said the group doesn’t have
plans to post any more information from Haywood, saying its scouts had
mistakenly thought it was a private college. They said the group has
provided some entities with a “Covid-19 discount” and ended negotiations
with Haywood when the district involved a third party—in this case, law
enforcement.
Infected
In Athens, the hacker locked the district’s roughly 30 servers, along
with backup servers, and infected hundreds of computers connected to the
network, Mr. Brooks said. The attack halted student registration six
days before the start of the new school year.
In the initial pop-up message, the hacker provided a link and
instructions for entering the dark web. Mr. Brooks brought in help from
Brent Goerner, a technology specialist at the district’s regional
education service center—an organization established by the state to
provide a range of support services.
Mr. Brooks followed the hacker’s instructions the next day, ending up at
a chat window.
“how many pc do you need decrypted?” the hacker asked. Mr. Brooks took
the question to mean: How many servers and computers would need to be
unlocked by a decryption key that the hackers would give him upon
receipt of payment.
Before he could respond, the hacker said, “I want for everything pc 50
000$.”
Mr. Brooks planned to negotiate the figure, but before he could start,
the hacker let him know it held the decryption key for more than 200
district devices.
“see I have a very big list of keys,” the hacker said in the chat. “more
than 200 pc.”
“what about if we only needed 20 PC,” Mr. Brooks asked, thinking that
the district might need decryption keys for only certain servers—mainly
for a critical one holding student and financial data.
“then 1 PC - 1000$,” the hacker responded.
“ok, I need to discuss with my boss,” Mr. Brooks wrote.
The Athens school district believes a vendor doing work on the system
may have left it vulnerable to hackers.
The hacker also told Mr. Brooks not to call police.
“they won’t let you pay and won’t help you decrypt files,” the hacker
said in the chat. “and you’ll lose data for always.”
Mr. Brooks replied: “we are not talking to the police. I just need to
see how we can come up with the money…We are working with you and want
to decrypt our data.”
He added: “how do we know our files will not be re-encrypted once we pay
you?”
The hacker said: “Yes. I’m going to remove you…and tell you where to
close the holes through that we’ve penetrated.”
It’s not unusual for hackers to offer such security reports to paying
victims, telling them how they got hacked. Some cybersecurity experts
question the accuracy of such reports and discourage victims from paying.
“If the flow of money stops, the attacks will stop,” said Brett Callow,
a threat analyst at cybersecurity firm Emsisoft, which also creates
decryption tools to unlock files. “The alternative is that
cybercriminals will continue to become better resourced, more motivated.
It’s a vicious cycle.”
In June, the University of California, San Francisco paid a $1.14
million ransom to a hacker. The university said in a written statement
that it made the decision to pay because the hacker encrypted data for
important academic work, including research.
Hackers have about a 97% rate of delivering a decryption tool to victims
once the ransom is paid, Coveware found. But the company recently
reported that some hackers held on to data after payment, possibly
selling it to other hackers or using it to re-extort the victim.
The FBI, which encourages victims to reach out to their local FBI field
office, doesn’t support paying a ransom as it can embolden hackers to
target others, but says it understands that organizations faced with an
inability to function will evaluate all options to protect employees and
customers.
Amy Kelley, an algebra teacher at Athens Middle School, connects with
her students via an iPad that moves along with her.
A lone technology director oversees operations in the 1,250-student
North Tippah School District in rural Tiplersville, Miss., which got
hacked in August. “There’s not too many people I had to talk to, to say,
‘What do we do from here?’ ” said Superintendent Scott Smith, who added
that the district paid no ransom but declined to say more as the matter
is still being addressed.
Hackers can be in victims’ systems days or weeks, giving them time to
take data before deploying ransomware, according to Emsisoft. Once they
do take over, they treat it like a financial transaction, with some even
referring to victims as clients.
“…it’s business,” the hacker told Mr. Brooks at the end of their
conversation.
“perfect. understand,” Mr. Brooks said.
In an emergency meeting, the Athens school board approved paying $50,000
in ransom the day after the attack. The board also pushed back the new
school year by a week due to the hacking. Some community members didn’t
like having to pay off a hacker, but the district said it had little choice.
“No one wants to do this. It feels awful,” Athens superintendent Janie
Sims said. “But it could be worse if we didn’t pay. School possibly
could have been delayed many weeks. We felt we had to.”
Mr. Brooks blamed himself. “I felt like a complete and total failure,”
he said. He isn’t certain how the hacker got in but believes a vendor
doing work in a server left open a meeting app, giving the hacker a way
into the system.
Two days after the attack, Mr. Brooks, on little sleep, placed a
late-night call to Dr. Sims. He’d made a big discovery—a copy of a
backup server held the data from the compromised critical server.
“I jumped up out of my chair,” Mr. Brooks said. “I was screaming, ‘Yes,
yes!’”
He broke off communications with the hacker, who hadn’t mentioned
posting any of the school’s data.
Mr. Brooks said engineers found no indication that information had been
stolen—it looked like the hacker had just locked the servers without
ever taking any data. Computer hard drives were wiped and reinstalled.
The district paid no ransom.
Write to Tawnell D. Hobbs at Tawnell.Hobbs-at-wsj.com
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout
|
|
