A criminal group hacked one of the country’s largest school districts’ computer system, encrypting district data and requesting $40 million in ransom or erasing the files and publishing students’ and employees’ personal details online.
Broward County Public Schools said in a statement on Thursday that no personal information had been compromised and that it had made no extortion payment to the ransomware group, which had posted screenshots of its online talks with the district to its dark web site last week as an apparent pressure technique.
The district, which is located in Fort Lauderdale, said it is partnering with cybersecurity experts to “investigate the incident and remediate affected systems.” All services are being restored, and progress is being made. “We are not going to pay a ransom.” According to the hackers’ screenshots, after two weeks of back and forth, the district decided to pay $500,000, at which point the ransomware criminals apparently ended negotiations.
Outside of its announcement, the district declined to comment further. Broward is the nation’s sixth-largest school district, with 271,000 students and a $4 billion annual budget — a point the hackers kept bringing up as they requested $40 million in cryptocurrency. The ransomware shut down the district’s computer system for a brief time in early March, but classes were not interrupted.
The Conti gang said early in their negotiations with a district official, whose name does not appear in the screenshots and has not been released, “It is a possible sum for you.” Its data-locking ransomware is one of the top ten ransomware strains.
The Broward negotiator responded, “This is a PUBLIC school district.” “You can’t really believe we don’t have anything comparable!” It was unclear whether the representative was a district employee or a hired ransomware negotiator, as is frequently the case.
The FBI normally investigates such assaults, but it wouldn’t say if it was looking into this one on Thursday.
Over the past three years, a ransomware outbreak has afflicted government agencies, enterprises, and individuals. The bulk of the gangs are Russian-speaking and located in Eastern Europe, where they are protected by tolerant governments. The more advanced groups pre-identify their targets, infect networks through phishing or other methods, and often steal data while installing malware that encrypts a victim’s network.
After the ransomware has been triggered, the criminals demand money in exchange for the malware’s decryption and a promise not to share — or sell — stolen data online. The data may be trade secrets in the case of companies. It may be Social Security numbers, bank account numbers, or birth dates in the case of merchants or government agencies. Conti said it stole Social Security numbers, birth dates, and other student and employee details from Broward’s system.
Ransomware attacks on public school districts have been widespread. Last year, the Baltimore County, Maryland, Fairfax County, Virginia, Hartford, Connecticut, and Fort Worth, Texas, districts were among those affected. According to the Cybersecurity and Infrastructure Protection Department, elementary, middle, and high schools have been steadily targeted in recent months. It was revealed in December that K-12 schools were responsible for 57% of all reported attacks in August and September, compared to 28% in January and July.
According to Emsisoft analyst Brett Callow, ransomware attacks interrupted learning at 1,681 schools, colleges, and universities in 2020 and at least 544 so far this year. Personal information was made public in seven districts.
Because of the liability and stigma attached to victims, many ransomware cases go unreported. Since victims and hackers negotiate on dark websites that researchers learn about through shared malware samples, where attackers usually leave ransomware notes with instructions and requests, cybersecurity firms have good data on ransoms charged. A whole industry has sprung up to assist victims in their emergency situations.
According to cybersecurity company Palo Alto Networks, the average ransom charged to hacking gangs nearly tripled from $115,000 in 2019 to $312,000 in 2020. According to the survey, the highest ransom charged by a company doubled last year, from $5 million to $10 million.
Conti said it was willing to negotiate with Broward after the gang’s initial $40 million demand, saying it would consider $15 million in Bitcoin if it could be shipped within 24 hours. Otherwise, it would upload the personal data it claimed to have and lock the operating device forever. Conti argues that the district’s legal claims for losing the data would cost more than $50 million, so it can consider the demand a bargain.
Conti told the district, “Pay $15 million and you guys are guaranteed to fix your problem.”
The district said that it still couldn’t afford it and that it didn’t have access to Bitcoin in either event. Since cybercurrency is difficult to track, ransomware gangs demand payment in it.
Conti escalated its threat by alleging that it had discovered derogatory information about an unspecified royal family in Broward’s database, which the district’s negotiator dismissed as ridiculous.
The negotiator answered, “What do you mean by a royal family… we are a public school district.”
Conti ultimately lowered its demand to $10 million after a two-week negotiating period. The district countered with a $500,000 bid. That is the most recent screenshot.
“The negotiation is strange,” said Emsisoft analyst Callow. “The Conti extortionists are seasoned extortionists, so it’s strange that they didn’t seem to realise who they were dealing with and requested a sum that a public school system will never offer. I’m at a loss for words.”