It was a Sunday morning in April, and Perry Community School District Technology Director Rich Nichols and Assistant Technology Director Nancy Iben were working at Perry High School when they noticed the computer system was acting funny.
“It started in our mail server,” Nichols said. “So I went to the mail server, and it looked like it was hung up. So I restarted the mail server to see if it was just hung up. When it came back up and I logged into it, all the files were encrypted.”
That’s when Nichols knew the PCSD computer system was the victim of a ransomware attack, a form of computer virus that hijacks your data behind a wall of encryption and makes you pay to get back at it. Ransom demands typically range from $50,000 to $1 million or more.
It looked like the ransomware had the Bluejays by their tail feathers.
“It comes out of India,” Nichols said, “and what they want is Bitcoin, which is electronic money that can’t be traced. You have no guarantee that when you pay them off, they’re going to unencrypt your files, and they typically want upwards of $1 million to release data.”
Public school districts are not exactly notorious for their deep pockets, and the Perry schools didn’t have an extra $1 million laying around to pay ransom to data hijackers.
“These types of attacks aren’t really meant for schools,” Nichols said. “They’re meant for bigger enterprises, like banks and hospitals, places that have the money, and the data is so important that you’re willing to pay that type of money to get it.”
The April 22 Perry attack came exactly one month after the March 22 ransomware attack on the city of Atlanta, where hijackers asked for $50,000 in Bitcoin. Atlanta balked at the ransom and ended up coughing up $2.7 million to recover from the attack. Last summer, hospitals and other business across the U.S. and in many other countries around the world were hit by the WannaCry ransomware attack.
Ransomware attacks make your data inaccessible, but they don’t steal your data the way classic hackers do. In February, for instance, hackers breached cybersecurity at Equifax, the national credit-reporting firm, and got away with 143 million people’s names, Social Security numbers, birth dates, addresses and — in some cases — driver’s license numbers, tax identification numbers, email addresses, phone numbers and credit card numbers, including expiration dates.
The PCSD was not the real target of the ransomware but more the victim of a ricochet.
“It wasn’t an intentional attack,” Nichols said. “It was just kind of one of those things that somebody might have had, and it was just forwarded on to one of our staff members. Then it got propagated to us, but it wasn’t an intentional attack on our data. It was kind of a subsidiary. We were an innocent victim of something that’s on a larger scale.”
The PCSD did not suffer the loss of any critical student or district data, partly through the dumb luck that Nichols and Iben were working on a Sunday morning and immediately noticed things going haywire.
“I saw it start to go down,” Nichols said. “Once I saw that, then I shut it down, and so it didn’t have time, once it had propagated through there, to actually propagate to many more systems. So the high school didn’t get hit. The elementary didn’t get hit. The middle school staff did. The administration staff did. Our mail and our technology system that does our imaging and our remote control and all of that was hit, so in the scope of things — to the individuals who got hit, it’s a huge problem — but in the scope of things, it could have been a lot worse. We could have had all the buildings hit and all the student files and staff files hit. Fortunately, we were able to contain it before it got that far.”
In fact, the most sensitive district data never was at risk, Nichols said.
“All of our essential data that we have is hosted,” he said, “so our student information is hosted. Our accounting systems are hosted. Our curriculum software is hosted. So those aren’t in any jeopardy.”
He said the school’s student information, for example, “is hosted by a vendor with probably 20,000 other schools. Those vendors are bigger enterprises that have the ability, the manpower and the money to be able to shield the data from those types of attacks. Our critical systems have all been moved off.”
So while no “critical” or “essential” data was encrypted by the ransomware, much sub-critical and highly useful data was, and the district could not pay the ransom.
“There’s no way we could pay,” Nichols said. “We had to just eat that.”
For example, many teachers had to eat the loss of lesson plans that might have taken years to perfect, and the business office had to eat lost documents with numbers and projections that will take time to reproduce.
“We started rebuilding from scratch,” Nichols said. “We just finished up. It took us about three weeks to get back to running normally, and there’s still a big hit with people who lost data. They’re still trying to rebuild lessons plans and files they’re missing, so it was a big hit. It was a big hit.”
If you have ever had a hard drive fail, one not backed up, then you know what the middle school teachers and central office administrators are feeling. Nichols, the district’s veteran IT head, said the emotional fallout from the breach in cybersecurity has been challenging.
“It’s like losing everything, and it’s a helpless feeling,” he said. “I’ve been here 22 years, and we haven’t had a data loss like this before. So that’s tough, but my job is to protect that so even though it probably wasn’t something I could easily have prevented, I still feel that responsibility of being the guy who keeps all that stuff safe.”
Telling staff members who depend on you for their digital existence that the prognosis is hopeless is hard.
“For us it’s definitely difficult,” he said, “because you’re the bearer of bad news, and you’re the only one that can help, and you have to say, ‘Well, we can’t fix it,’ and that’s rough. A lot of emotions come out during that time, you know. You just work through it.”
Nichols was grateful to his coworkers who worked through the digital trauma without complaint.
“I’ve got to say our staff here was very understanding,” he said. “They worked diligently with us to try to recover the best we could. We spent tons of time getting the data that we could back and getting systems back up in time and making sure not only that they were up but that they were secure and safe.”
If the timing of the ransomware attack was lucky because Nichols and Iben were on duty when it happened and could promptly respond, the timing was also unlucky because the school district was planning to replace those systems in July that would have prevented the attack in the first place or at least made restoring the system less difficult.
“It was just one of those things at the end of a lifecycle and bad timing and bad luck,” Nichols said. “Our server systems are between six and seven years old, and our backup-recovery system is just aged, so it has some vulnerabilities to it that I know needed to be corrected. We were in the process of getting the bids and prices for what we are going to do — the project’s going to start July 9 — to replace those servers with some virtualization and some quick and easy backup and restore features and some things like this. We just got hit a little bit before then.”
Public school budgets are chronically tight in Iowa, and technology upgrades must compete with other and equally compelling priorities for limited local and state tax dollars. Nichols said he plans to run a highly secure “fortress” until the new systems go online in July. It is for now a little less convenient for users, but sometimes liberty is the price of security when it comes to public school operating systems.
“It was a nasty little thing that we got,” Nichols said. “I don’t know if we’ll ever be completely whole. We’ve got files that can never be replaced. People may have had family pictures or other things that you can’t replace, but as far as the stuff we use day to day, we’re getting that restored and rebuilt. It’s just a time-consuming process, and it’s definitely a stressful, challenging time. It was a big hit. I’ve got to say that. It was a big hit.”
When this happens, it’s usually preventable, and most likely they didn’t keep up with the latest antivirus software, no current server backups, and they didn’t have good enough rules on their firewall to block a malicious intrusion. This type of attack has been going on for some time, so I give the IT department an F!
Ed, I work in IT, and a lot of issues happen due to social engineering. You can have the best front-end defense in the world but if someone opens an email that looks legitimate and clicks on a link or doc that is infected, that is all it takes to get it inside of the domain system to do its thing. Yes, there are remedies that kick in automatically internally if set up correctly, but there can still be damage done.