[BreachExchange] Rockville Centre Schools Pay $90, 000 Ransom To Hackers

Destry Winant destry at riskbasedsecurity.com
Wed Aug 28 02:13:48 EDT 2019


Late last week, Rockville Centre School District officials disclosed
to the public that the district paid nearly $90,000 in ransom to
hackers that had encrypted all of the district's files.

According to school officials, on Thursday, July 25, the district was
attacked by the Ryuk computer virus, which encrypts all of the files
on networks it infects. The hackers who uploaded the virus then
demanded a payment to give the district the decryption key so it could
regain access to the files.

This kind of attack, known as ransomware, is becoming increasingly
common. It has affected schools, businesses, hospitals and more around
the world in recent years.

On the morning of July 26, the district's director of technology
noticed a problem with the email system and shut it down, the district
said, which limited the damage to the district's systems. After the
shutdown, the district said it contacted the Rockville Centre Police
Department, the FBI and the Department of Homeland Security (DHS).

"[The FBI and DHS] were instrumental in helping us identify the virus
which may have entered
this system as early as March 2019 and lay dormant in the system until
July 25, 2019," the district wrote. "Neither agency, however, had a
decryption tool that would effectively enable us to restore our data
and emails and no other aid was offered to us."

The district's insurance carrier covers cyber attacks. After exploring
options, the district determined that paying the ransom requested by
the hackers would be much more cost efficient than trying to recover
and decrypt all of their files.

Because the district was able to stop part of the attack, the ransom
was lowered from $176,000 to $88,000. The district paid a $10,000
deductible to its insurance company, which covered the rest of the
ransom. The district said that, because its insurance deductibles are
calculated as part of the budget, there was no new cost to taxpayers.

No information was stolen, the district said. The FBI and DHS
carefully reviewed the school's systems and determined that no student
or teacher information was taken. The goal of the attack was to make
the district pay to get access to its data again, not to steal it.

"Our priority now is to learn from this experience and use this
knowledge to find, if available, a more robust backup system that can
avoid intrusion by outside viruses," the district wrote. "We will work
with our board and cyber security experts, including Homeland Security
and the FBI, over the next few months to determine ways of securing
more effective antiviral and backup systems for the district."

Because the district regained access to all of its files, the attack
will not affect the opening of school the district said. The district
is still working to clean any traces of the virus from its systems,
but expects to have all of the files cleared by the start of school,
and all the email cleared soon after.

The Board of Education is holding the first meeting of the new school
year on Sept. 5, and there will be a discussion of the attack and the
decision to pay the ransom. The public is invited to attend to hear
from the board and to voice any concerns they may have.

More information about the BreachExchange mailing list