The computer system of one of the nation’s largest school districts was hacked by a criminal gang that encrypted district data and demanded $40 million (roughly Rs. 293 crores) in ransom or it would erase the files and post students’ and employees’ personal information online.
Broward County Public Schools said in a statement Thursday that there is no indication that any personal information has been stolen and that it made no extortion payment to the ransomware gang, which as an apparent pressure tactic last week posted screenshots of its online negotiations with the district to its site on the dark web.
The Fort Lauderdale-based district said it is working with cybersecurity experts “to investigate the incident and remediate affected systems. Efforts to restore all systems are underway and progressing well. We have no intention of paying a ransom.” The district did, after two weeks of back and forth, offer to pay $500,000 (), at which point the ransomware criminals apparently ended negotiations, according to the hackers’ screenshots.
The district declined further comment outside its statement. With 271,000 students, Broward is the nation’s sixth-largest school district with an annual budget of about $4 billion (roughly 23,900) — a fact the hackers kept returning to as they demanded $40 million (roughly Rs. 293 crores), to be paid in cryptocurrency. The ransomware caused a brief shutdown of the district’s computer system in early March, but classes were not disrupted.
“It is a possible amount for you,” the Conti gang said early in its negotiations with a district official, whose name does not appear in the screenshots and has not been released. Its data-locking malware is one of the top 10 strains of ransomware.
“This is a Public school district,” the Broward negotiator replied. “You cannot possibly think we have anything close to this!” It was unclear if the representative was a district employee or, as is often the case, a hired ransomware negotiator.
The FBI usually investigates such attacks but said Thursday it would not confirm if it was investigating this one.
An epidemic of ransomware attacks has been plaguing government agencies, businesses, and individuals for the past three years. Most are Russian-speaking gangs based in Eastern Europe and enjoy safe harbor from tolerant governments. The more sophisticated groups identify their targets in advance, infect networks through phishing or other means, and often steal data as they plant malware that encrypts a victim’s network.
After the ransomware is activated, the criminals demand money to unlock the malware and refrain from posting — or selling — stolen data. In the case of corporations, that data could be trade secrets. In the case of retailers or government agencies, it could be Social Security, bank account numbers, and birth dates. Conti claimed it stole from Broward’s system Social Security numbers, birth dates, and other student and employee information.
Public school districts have been frequent targets of ransomware attacks. The districts of Baltimore County, Maryland; Fairfax County, Virginia; Hartford, Connecticut; and Fort Worth, Texas, were among those hit last year. Elementary, middle, and high schools have been increasingly targeted in recent months, according to the Cybersecurity and Infrastructure Security Agency. In December, it said that K-12 schools accounted for 57 percent of all reported attacks in August and September as compared to 28 percent for January through July.
Overall, ransomware attacks disrupted learning at 1,681 schools, colleges, and universities in 2020 and at least 544 so far this year, said analyst Brett Callow at Emsisoft, a cybersecurity firm. Seven districts had personal data published.
Many ransomware cases go unreported due to the liability and stigma attached to victims. Cybersecurity firms have good data on ransoms paid in part because negotiations between victims and hackers occur on dark websites that researchers learn about through shared malware samples where criminals typically leave ransomware notes with instructions and demands. An entire subindustry has also emerged to help victims manage emergencies.
The average ransom paid for to hacking gangs nearly tripled from $115,000 (roughly Rs. 84 lakhs) in 2019 to $312,000 (roughly Rs. 2.2 crores) in 2020, according to the cybersecurity firm Palo Alto Networks. It said the highest ransom paid by an organisation doubled last year to $10 million (roughly Rs. 73 crores), up from $5 million (roughly Rs. 36.6 crores) in 2019.
In Conti’s negotiations with Broward, after the gang’s initial $40 million (roughly Rs. 293 crores) demand, it said it was willing to negotiate: it would accept $15 million (roughly Rs. 109 crores) in Bitcoin but it had to be delivered within 24 hours. Otherwise, it would upload the personal information it claimed to have and permanently lock the computer system. Conti said legal claims against the district for losing the data would exceed $50 million (roughly Rs. 366 crores), so it should consider its demand a bargain.
“Pay $15M (roughly Rs. 109 crores) and you guys are guaranteed to solve your problem,” Conti told the district.
The district insisted it still couldn’t afford it and, in any case, didn’t have access to Bitcoin. Ransomware gangs demand payment in cyber currency because it can be difficult to trace.
Conti upped its threat by suggesting it had found damaging information about an unnamed royal family in Broward’s database — an allegation the district’s negotiator found absurd.
“What do you mean about a royal family… we are a public school district,” the negotiator replied.
The negotiations continued for two weeks, with Conti eventually lowering its demand to $10 million (roughly Rs. 73 crores). The district made its $500,000 counteroffer (roughly Rs. 3.6 crores). That is the last screenshot posted.
“The negotiation is bizarre,” said Callow, the Emsisoft analyst. “The Conti operators are experienced extortionists, so it’s odd that they seemed not to know who they were dealing with and demanded an amount that a public school district was never likely to pay. I can’t explain it.”
Orbital, the Gadgets 360 podcast, has a double bill this week: the OnePlus 9 series, and Justice League Snyder Cut (starting at 25:32). Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.