[BreachExchange] Las Vegas Students’ Personal Data Leaked, Post-Ransomware Attack

[Destry Winant]

https://threatpost.com/las-vegas-students-data-leaked-ransomware/159645/

A researcher said he discovered an open data cache with names, grades,
birthdates and more, after the Clark County School District refused to
pay the ransom.

Personal information for students in the Clark County School District,
which includes Las Vegas, has reportedly turned up on an underground
forum, following a ransomware attack that researchers say was carried
out by the Maze gang.

In early September, the Associated Press reported that the district
was crippled during its first week of school thanks to a ransomware
attack, potentially exposing personal information of employees,
including names and Social Security numbers. The Clark County School
District (CCSD) quickly confirmed the reporting via a Facebook post,
where it noted that three days after school began online, on August
27, it found many of the school’s files to be inaccessible – though
online learning platforms weren’t affected. At the time it said that
“some private information may have been accessed.”

This week, Brett Callow, a threat analyst with Emsisoft, told the Wall
Street Journal that student information has turned up in an
underground forum.

Callow said that a warning shot was fired last week by the attackers,
presumably in retribution for CCSD not paying the ransom of an
undisclosed sum. Attackers, he said, released a non-sensitive file to
show that they had data access. When that garnered no response they
released a raft of sensitive information. That information included
employee Social Security numbers, addresses and retirement paperwork;
and student data such as names, grades, birth dates, addresses and the
school attended. The hackers also announced that the data reveal
represents all of the information that it stole from CCSD’s network.

When Threatpost reached out to Emsisoft for more details on the data
cache, Callow said that in total, the criminals — specifically, the
Maze gang — published about 25GBs of data.

He also said that no password was needed for access to the information.

“The data was published on leak sites on both the clear and dark
webs,” he told Threatpost. “It can be accessed by anybody with an
internet connection who knows the URL.”

For its part, the district said in a statement Monday that the
reporting has not been verified: “National media outlets are reporting
information regarding the data security incident CCSD first announced
on Aug. 27, 2020. CCSD is working diligently to determine the full
nature and scope of the incident and is cooperating with law
enforcement. The District is unable to verify many of the claims in
the media reports. As the investigation continues, CCSD will be
individually notifying affected individuals.”

Callow told Threatpost, “the data would certainly appear to be legitimate.”

Threatpost reached out to CCSD for more information on the ransom
amount and other details. When it comes to the extortion piece, a
similar attack in July on the Athens school district in Texas led to
schools being delayed by a week and the district paying attackers a
$50,000 ransom in exchange for a decryption key.

More ransomware operators are setting up pages where they threaten to
publish compromised data from victims – an added pressure for victims
to pay the ransom. The ransomware tactic, call “double extortion,”
first emerged in late 2019 by Maze operators – but has been rapidly
adopted over the past few months by various cybercriminals behind the
Clop, DoppelPaymer and Sodinokibi ransomware families.

“The number of successful attacks on school districts has increased
significantly in recent weeks, with at least 12 falling victim this
month alone,” Callow told Threatpost. “The attacks have disrupted
learning at up to 596 individual schools. The number of cases in which
data is exfiltrated has also increased: at least five of the 12
districts had data stolen and published online.”

lia Kolochenko, founder and CEO of web security company ImmuniWeb,
noted that the CCSD story could get messy if parents choose to sue the
district over the attack and its handling of it.

“What may be tricky is an eventual lawsuit by the victims against the
school,” he said via email. “The crunchy point will be whether a
failure to pay a ransom, to preclude data from being published, may be
construed as a failure to remediate the damage and thus make the
school civilly liable for this specific leak and its consequences. The
monetary damages will, however, likely be of a nominal value as
evidenced by recent litigation in the US involving similar data
breaches. The best avenue will likely be a settlement, providing the
students with a necessary support to negate reasonably foreseeable
consequences of the data breach and exposure of their PII [personally
identifiable information.”

School Attacks Continue

A slew of ransomware attacks and other cyberthreats have plagued
back-to-school plans — as if dealing with the pandemic weren’t
stressful enough for administrators.

In addition to the Clark County and Athens incidents, an attack on
Hartford, Conn. public schools earlier in September led to the
postponement of the first day of school. According to a public
announcement, ransomware caused an outage of critical systems,
including the school district’s software system that delivers
real-time information on bus routes.

Also, a recent ransomware attack against a North Carolina school
district, Haywood County Schools, caused the school to close to
students for days.

Security researchers have said that cyberattacks may likely become the
new “snow day” – particularly with the advent of pandemic-driven
online learning. As students prepare to return to school, schools are
facing more complex cyber-threats. For instance, the need for data,
monitoring and contact-tracing become key factors in students
returning to in-person classes, and remote students will have longer
periods of time where they are connected to the internet.

Meanwhile, researchers have warned of projected seven-fold increase in
ransomware overall for 2020, compared to last year – with some strains
being more worrisome than others.

“One ransomware variant that is particularly concerning is Ryuk, which
has been attributed to North Korean and Russian threat actors,” said
Jeff Horne, CSO at Ordr. “Ryuk can be difficult to detect and contain
as the initial infection usually happens via spam/phishing and can
propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital
phones and radiology machines. Once on an infected host, it can pull
passwords out of memory and then laterally moves through open shares,
infecting documents and compromised accounts.”

He added that many of the ransomware attacks come with additional pain.

“Some threat actors are still piggybacking Ryuk behind some other
trojans/bots like TrickBot, QakBot and Emotet, and some of those can
use the EternalBlue vulnerability to propagate,” he said.