It will take several more weeks to complete the check of 2,200 Windows computers in the Smyth County school system, but, as of Friday, all but two schools were back online after a ransomware attack last weekend.
Terry Hawthorne, director of technology for Smyth County Schools, said on Friday he and those helping him rebuild the system were installing new anti-malware software and moving to a cloud-based system by Monday or Tuesday.
The move of the system to the cloud had been planned by the administration just prior to this attack, and has been accelerated.
Security consultants are coming to the schools to check for any data breaches, Hawthorne said, although there is no evidence any data was taken.
“I don’t believe any data was taken,” he said. “They weren’t in there very long before we discovered it.”
Superintendent Dennis Carter said earlier this week that “We do not believe any personal identifying information was taken by the cyber criminals. Instead, much like a classic bank robbery, we are being 'held up' and asked to pay big dollars to allow us to regain access to our data. We are going to use our data backups to rebuild our servers, rather than pay the ransom.”
The ransomware attack of the Smyth County school system was discovered Monday morning. Staff at the central office – where the attack was centered – discovered the message on their computers when they came into work.
“Ransomware,” said Carter, “is malware that infects a computer or server and encrypts the documents and other files on the computer or server. The documents are still on the computer, but the victim cannot open them without paying the ransom to the hackers. We are not going to pay the ransom, because that only supports criminal activity, and there is no guarantee that the hackers would provide us with the key we need to decrypt our files if we paid. With the assistance of our insurance carrier, VACORP, we have hired cybersecurity experts who are working with the FBI to investigate the incident.”
The attack, said Hawthorne, was like someone coming to your house while you are out and changing all the locks, then demanding payment for a key that would unlock the doors. You could pay the ransom, he said, but that key may or may not work and the hacker may just take the money and run without providing a way to “unlock” the doors.
Hawthorne said it is critical to have a backup to your system and to not have it connected all the time, just when you are doing backup. It is even better to do backup from another location than where your system is located and keep it separate from your system to prevent infection.
The ransomware attack on Smyth County Schools did not spread an infection, Hawthorne said. It impacted the Windows system, only part of the system’s thousands of computers. Most of the system, especially computers used by students, are Chrome devices.
When the attack was discovered, payroll was an immediate concern, Hawthorne said, but it was quickly resolved and employees paid on time. For several years the schools have operated on a cloud-based payroll and accounts payable system so it was easier to retrieve the information for the bank.
“We were able to process payroll as normal using Chrome boxes instead of Windows,” Hawthorne said. The Windows program is being replaced with Chrome boxes, which is a safer system, he said. He created a Linux server that would provide IP addresses in order to get the central office back online Monday afternoon in order to make payroll. Other Linux servers were built to replace the Windows servers.
“Thank the Lord for Linux, Chrome devices, and backup!” he said.
Carter said the school system was unable to contact parents electronically about the issue so he wrote a message and copies were provided to every student to take home.
Carter said, “As you may have heard, many localities and school districts across the United States have recently been targeted by cyber criminals. Unfortunately, we have now become a victim as well.”
Hawthorne said those investigating the ransomware – which is a violation of state and federal laws – are pretty sure they know who attacked the system. He wouldn’t identify the source as it is part of the FBI investigation, but the portal through which they entered has been secured.
The attack on Smyth County Schools was most likely not deliberate, said Hawthorne. Hackers who stage such ransomware attacks have software that is constantly searching for a portal through which they can enter a system, kind of like a car thief going through a parking lot jiggling door handles to find one unlocked. They are looking for portals that are open or vulnerable.
Hawthorne said he had heard of no other systems in the immediate area suffering such an attack, but the security company he is working with said this was the fourth case they had worked on this month.
The bright spot, if there is one said Hawthorne, is that companies are always advising caution with emails and attachments, even from familiar people. “There’s nothing like getting burned,” he said, “to really make it stick.”
Anyone with questions can call the school board office at 276-783-3791.
Carter and Hawthorne both advise people not to pay ransomware.
“We won’t pay the ransom because it just encourages criminal behavior,” Hawthorne said. “I would advise anyone. Don’t pay it.”
Computer users are advised to educate themselves about ransomware.
“There are a couple of totally free, non-commercial services that enable people and organizations to unlock ransomed data without needing to pay the ransom,” said Brett Callow with Emsisoft, an antivirus company, associate partners in Europol’s No More Ransom Project, with some of the world’s leading ransomware experts on the team.
“The problem is,” said Callow, “most folk don’t know about them and this is especially true in the U.S. as they’re not at all well publicized. The lack of awareness means ransoms are unnecessarily paid or data unnecessarily lost.”