The Rockville Centre school district paid almost $100,000 to restore its data after being hacked with a ransomware virus that encrypted files on the system’s server until payment was made to unlock the information, officials said Friday.
The Nassau County district was among several statewide targeted by a ransomware virus that encrypts data, essentially locking users out of access to their files. Mineola's server was corrupted by the same ransomware, known as "Ryuk," but the district said it did not have to pay a ransom to unlock data because it had everything backed up offline.
Rockville Centre Superintendent William Johnson said the payment, covered by the school's insurance, was necessary to restore the district's communications systems, as well as other data needed to run day-to-day operations after the cyberattack in July.
"Look, nobody wants to pay anything, but if they encrypted the files and I don’t have access to them, it is difficult to run a school district without any historical data or emails, most of which were encrypted," Johnson said. "In order to get those files, we had no way to decrypt them, and any of the tools we had access to . . . were not effective."
Ransomware has threatened several large governments and schools throughout the country and is believed to be coming out of Eastern Europe, according to news reports. Ransomware is a malware that targets data and systems for extortion and is delivered through targeted phishing emails, according to the FBI. After the user has been locked out of the data or system, there is a demand for payment, the agency said.
Robert Dillon, superintendent of Nassau BOCES, which provides technological services and support to 56 school districts, said ransomware "is introduced innocently into an organization as an email," and an employee mistakenly opens it and clicks on a link, or opens an attachment. "And the malware enters your system to find a place to hide, and at a future time it erupts and corrupts your system. The people who send it, they sell it to a third party, which encrypts it, and then a ransom is demanded."
The state Education Department sent a notice to all districts July 31 about a cybersecurity threat reported in four districts: Syracuse, Watertown, Lansing and Rockville Centre. Officials advised "educational agencies that believe they may be compromised/infected with ransomware" to contact several agencies, including the state's Division of Homeland Security and Emergency Services. The attack crippled the Syracuse city school district's computer system in July, according to news reports.
In Rockville Centre, Johnson said the district caught the virus before it encrypted all the files when its technology director noticed an issue with email and "literally pulled the plug" on the entire system. Officials worked with the insurance carrier to help arrange payment to the hackers.
"We have since gotten a decryption tool and are well along in the process of returning our data and emails to our original status, but it takes a long time and a lot of work," Johnson said.
He said the district, which has about 3,500 students, had cybersecurity measures in place and reported the attack to law enforcement.
"Whoever does this appears to be very good at it and they are able to get around all of the hurdles that we purchased and put in place to avoid those types of attacks," Johnson said.
A spokesman for the Division of Homeland Security and Emergency Services said Friday that its Cyber Incident Response Team and the state’s Intelligence Center have communicated with the affected districts and are ready to provide assistance. But officials also declined to name the districts.
Representatives from the FBI's New York field office did not return a call for comment. The FBI, in a document on its website advising agencies how to prevent and mitigate damage from ransomware, calls it the "fastest-growing malware threat."
As a precaution, the state Education Department on July 29 requested that its regional information centers and Big 5 school systems — Buffalo, Rochester, Syracuse, Yonkers and New York City — take the state's data warehouse offline to scan for malware and vulnerabilities.
"The recent ransomware incidents are a stark reminder to all of us," read the state's advisory. "It is incumbent upon our school districts and BOCES to take this seriously."
For those who don't pay, they have to rebuild the servers and "everything has to be scrubbed," Dillon said. He recommended that school districts back up data into a secure cloud location to thwart such attacks.
School leaders in Mineola said the district's server was hacked in early August. Superintendent Michael Nagler said at no time was there a breach of data in the district, which enrolls about 2,700 students.
"This virus is designed to encrypt the backup as well," he said. "Fortunately, we had taken our backup offline over the summer to do some work and we have a full backup and we did not need to pay a ransom or deal with the bad guys at all. And we were able to rebuild our network and clean it."
Files are still being cleaned, and Nagler said he expects to have them back next week.
Nagler said district officials notified the Division of Homeland Security, as well as the district's insurance carrier, to cover the cost to restore the systems.
He said the hackers did not access any personal information, as the district's business portal was not impacted. Rather, the virus encrypted documents and other data saved to the server, including Microsoft applications such as Word, Excel and PowerPoint.
"Every Word document I ever created, I don't have," he said.
In Lynbrook, Superintendent Melissa Burak notified parents in February of an attack of the "Emotet" virus on the school's network. The notice said no data was corrupted or at risk, and a spokesman for the district said there was not a ransom demand.
However, Burak said in the notice that the virus shut down the school's email, forcing the district to shut down the server and rebuild it. She also said "since the malicious creators of this virus scour websites for personal information, we will no longer post staff emails on our website."
According to an FBI document on ransomware prevention and response:
- Ransomware targets home users, businesses and government networks and can lead to temporary permanent loss of sensitive or proprietary information. It is usually delivered through spearphishing (a more targeted type of email).
- Attackers often enter the organization by tricking a user to disclose a password or click on a virus-laden email attachment.
- Ransomware may direct a user to click on a link to pay a ransom; however the link itself could be malicious and lead to additional malware infections.
The FBI recommends to protect networks:
- Educate your personnel by implementing an awareness and training program. Attackers often enter the organization by tricking a user to disclose a password or click on a virus-laden email attachment.
- Enable strong spam filters.
- Scan incoming and outgoing emails and set anti-virus and anti-malware programs to conduct regular scans.
- Back up data regularly.
- Conduct an annual test and vulnerability assessment.
- Secure your backups.
- If you do have infected ransomware, isolate the infected computer immediately. Isolate or power off affected devices that have not yet been completely corrupted. Immediately secure backup data or systems by taking them offline.
- If possible, change all online account passwords and network passwords.