The Mountain View Los Altos Union High School District was the victim of a ransomware attack, which has locked some teachers and staff out of their computer files and taken down the district’s phone system.
District officials discovered the attack Wednesday (Jan. 29). According to Bob Fishtrom, the district’s director of information technology services, there isn’t evidence thus far that any student or staff data was compromised, though he said it hasn’t yet been conclusively determined.
“It has not been a terrible disruption to our teaching and learning environment, fortunately,” Fishtrom said. “Besides that, our number one priority is student safety and the safety of student data and the privacy of student data.”
He declined to say how the attackers accessed the district’s network, noting that the district isn’t yet positive and he wants to refrain from commenting until the source is known definitively.
According to Fishtrom, the district appears to have been the victim of a “Sodinokibi” ransomware attack, a form of ransomware he said has been around since last April.
“It encrypts files and then asks for a ransom in order to get the cipher in order to unencrypt,” Fishtrom said. “It’s almost like a ‘National Treasure’ movie.”
The district has cybersecurity insurance, which is covering the costs of responding to the attack, beyond a $50,000 deductible.
District officials are working with an outside firm, Kroll, that is investigating the breach. The firm also has a third-party negotiator, who can help negotiate the ransom if the district decides to go that route.
“We’ll have to cross that bridge when we get there,” Fishtrom said. “And that’s going to be a decision that our leadership and board of trustees will have to work on collectively, based on the advice that Kroll will be giving us.”
Discovering the attack
The district first got wind of the attack around 5:30 a.m. Wednesday, when an employee tried to log in to her Gmail account and received notification that her password had been changed. When district staff tried to change it remotely, they realized that they couldn’t access the remote server.
“By the time we got to the office, I could tell that it was ransomware, right away, unfortunately,” Fishtrom said.
All of the district’s servers were taken offline to prevent any further spread of the ransomware.
The district’s insurance provider connected staff with Kroll, a firm that specializes in dealing with these types of attacks, Fishtrom said. Kroll provided the district with Carbon Black, a software tool being installed on every computer. The software helps protect the machines, but also allows Kroll to see the extent of what was infected.
Of the roughly 600-700 Windows machines in the district, Fishtrom estimated 40-50 were encrypted by the attack. The district’s phone system is also down. Calls can still be made internally, but calls can’t be made to numbers outside the district, and incoming calls can’t be received.
The district is working with Portola Systems, which had already been hired to upgrade the district’s network, to help get the phone system back online. The district may also distribute an analog phone system next week to use in the interim, Fishtrom said.
A few staff members reported receiving notifications of fraudulent activity on their personal credit cards. However, according to Fishtrom there is no evidence the notifications are related to the ransomeware.
The impact of the breach has been limited because teachers and students do much of their work in Google Drive, which doesn’t appear to be affected, Fishtrom said.
The student information system, which is used for grading and recording attendance, is cloud-based and there is no evidence it has been compromised, according to Fishtrom. The district has also contacted the county’s office of education, which provides the district’s internet, and the county has not observed any malicious behavior.
Anyone whose system was breached will have more sophisticated passwords going forward, Fishtrom said. The district has been able to reset passwords and restore access for teachers who were locked out.
“That’s another thing we’re learning – passwords need to be taken far more seriously,” he said.
The district has thus far not engaged with a ransom note that was left in a text file on the affected computers. The note indicates a website to visit, but Fishtrom said doing that typically starts a timeline, putting a deadline on when ransom must be paid. If the ransom isn’t paid, he said typically hackers threaten to release confidential data.
A specific amount isn’t listed in the note, but Fishtrom said from his research, it appears to often start at $2,500. A school district in New York paid $88,000 in cryptocurrency last year after a similar attack. The district’s insurance would cover the ransom if the district chose to take that route, Fishtrom said.
Before the ransomware attack, the district was already in the process of improving its network. The district has contracted with Portola Systems to help with network upgrades and enhancements, including overhauling the district’s Wi-Fi system.
Portola Systems had already received the hardware and was preparing to do the installation over a weeklong break in February. The district also was planning to upgrade its phone systems, though not over the February break.
“With the upgrade we’re doing right now, we had purchased a piece of software called Cisco Umbrella that also would have prevented this,” Fishtrom said. “We’re obviously a couple of weeks short.”
Updated: This article has been changed to reflect that the reports of fraudulent credit card activity were related to employees' personal credit cards, not district cards as officials initially reported.