Mountain View Los Altos Union High School District officials continue to grapple with the aftermath of a ransomware attack discovered Jan. 29.
Last week, district officials met with the FBI to discuss the attack, coordinated with a cybersecurity firm to investigate the breach and worked to get phone lines up and running.
“A lot of things are going on all at once and we’re doing our best to control the factors we can control and (are) trying to keep everyone informed,” said Bob Fishtrom, the district’s director of information technology services.
It appears the district was the target of a “Sodinokibi” ransomware attack, likely originating in India, China or Russia, Fishtrom said. The malware took down the phone system and encrypted roughly 40-50 Windows machines, locking some staff members out of their files.
The district has cybersecurity insurance, which will cover the costs of dealing with the incident, beyond a $50,000 deductible.
According to Fishtrom, the district hopes to receive a report from Kroll, the cybersecurity firm it hired, sometime this week laying out next steps. However, he noted that Kroll’s work is thorough and he doesn’t know when the report will be completed.
Administrators have talked to a third-party negotiator Kroll works with, Fishtrom said, to get more information about the typical process of negotiating a ransom. As of the Town Crier’s Monday press deadline, the district had not engaged with a ransom note that was left in a text file on the affected computers.
The note didn’t explicitly mention a ransom amount, instead pointing to a web address. However, engaging with the note typically starts a timeline, Fishtrom said, putting a deadline on paying the ransom.
The fact that the ransom note didn’t indicate any sensitive information was stolen is a good sign, Fishtrom said. There isn’t evidence any student data was compromised, though he added that couldn’t yet be said definitively.
Nine district employees reported fraudulent activity related to their personal Amazon Pay accounts or Amazon credit cards. According to Fishtrom, Kroll representatives initially said this didn’t appear to be related to the breach but the company continues to investigate deeper.
Kroll is continuing work to determine how the intruders accessed the district’s network and the severity of the breach. Fishtrom said he’s learned from Kroll that this type of ransomware often enters through screen-sharing software. However, nothing has been conclusively determined.
The district has completed installing Carbon Black on district computers. Carbon Black is a software tool that helps protect the machines and allows Kroll to see the extent of what was infected.
Moving forward, the district is working on a “disaster recovery plan,” which will ensure all of the district’s files are backed up in the cloud. Fishtrom, who started his job this school year, said improving the district’s backups had already been on his agenda before the ransomware attack. Previously any backups that did exist were stored on-site on the district’s servers.
The district is also working to restore the phone system. Landlines have been set up for use in the case of an emergency. Staff are now setting up additional phone lines on each site. An overhaul of the district’s phone system was already planned before the ransomware attack and is moving forward. The district also is continuing with pre-planned upgrades to its networks, including overhauling the Wi-Fi system.
“We’re just plugging away,” Fishtrom said. “We’re doing everything we can to support our staff and community.”