[BreachExchange] School District to Spend $314K on Rebuilding Servers after Malware Attack

[Destry Winant]

https://www.tripwire.com/state-of-security/latest-security-news/school-district-spend-314k-rebuilding-servers-malware-attack/

A school district in North Carolina intends to spend $314,000 on
rebuilding more than a dozen servers affected by a malware attack.

On 27 December 2017, the board for Rockingham County School District
held an emergency meeting and voted 7-1 to approve a 12-month,
$314,000 service contract with Georgia-based technology solutions
provider ProLogic ITS. The contract, which is currently pending
review, will give 10 Level 3 and 4 engineers at ProLogic the necessary
funding to rebuild 20 servers after the school district suffered a
malware attack. It will also cover virus mitigation services offered
by the provider, including on-site imaging for 12 servers and 3,000
client systems.

Greensboro News & Record reports that the monies, which will come out
of the school’s unrestricted fund balance of approximately $5 million,
will cover a total of 1,200 onsite repair hours. It’s estimated the
cleanup won’t take longer than a month.

According to WMFY, the malware infection occurred on 11 December 2017
when employees at Bethany Elementary, Western Rockingham Middle
School, and the district’s Central Office opened an “incorrect
invoice” email that appeared to come from Rockingham County School
District’s antivirus provider. The emailed used that lure to trick the
employees to click on a Microsoft Word document containing Emotet, a
trojan which injects itself into the networking stack and software
modules of an infected machine. From those locations, the malware can
steal financial and personal information, perform distributed
denial-of-service (DDoS) attacks on other systems, and distribute
additional banking trojans.

Tech Scout’s Kent Meeker is familiar with Emotet and says the malware
is difficult to remove from an infected server. As he told WMFY in a
separate article: So if you click on something that you shouldn’t or
didn’t know about it can immediately load that onto your system, and
if you don’t have the right virus protection, or malware protection,
it will get right through and just kind of live on the machine. It may
lay dormant for a while before it activates itself, and starts doing
crazy stuff. This seems like something that probably, hopefully should
have been caught and now this is the repercussions of that. They are
going to have to go in and rebuild all of these machines, all of these
servers to get rid of it because once it is embedded in the system, it
is really rough getting it out. Now, I think they are just doing
everything they can to get rid of it. It is not a small deal, but it
is rectifiable. It always is.

Three days after the infection occurred, the school’s administrative
office received reports of machines not being able to connect to the
school’s network. This prompted officials on 19 December to order that
teachers and staff leave their computers behind during the winter
break. The school district then worked to try to clean up the virus
over the holidays.

Rockingham County School District’s administration has said the
malware attack didn’t expose any data.

Kacey Sensenich, CTO at the district, rearticulated those thoughts for
Greensboro News & Record:

There is no concern when it comes to financial data in Rockingham
County Schools. That is all secure. None of that was compromised. The
worst thing that we’ve had happen is it was able to grab people’s
email and their login information and then re-spam out. We asked
people to change their password. …As far as data, personnel records,
all those horror stories you have, at this time we have no evidence of
that [being compromised] and the security team is helping validate for
us.

The $314,000 contract will cover the costs of rebuilding 20 of the
school district’s severs. Even so, Rockingham will need to also pay
for the replacement of teacher devices affected by the malware.
Superintendent Dr. Rodney Shotwell says that amount could be as much
as $834,000.

News of this attack follows several months after ransomware attackers
demanded $19,000 from a California school district for a decryption
key that would unlock its encrypted data.