Schools are off to a rough start this year. Apart from grappling with edtech and security issues in light of the increased use of virtual learning, school districts are being increasingly attacked by ransomware groups. These ransomware threat actors pose a double threat: they not only encrypt a district’s system(s) to make functioning impossible unless a ransom is paid, but they may also exfiltrate copies of the district’s data before encrypting it on the server(s) so that even if a district can manage to recover from the attack by using a backup, there is the threat that the attackers will dump personal and sensitive data on the dark web for everyone to grab.
Given that scenario and how much personal and sensitive information districts may maintain on their server(s), districts may find themselves between the proverbial rock and a hard place when a ransom demand is made.
Yesterday, this site reported on three school districts in Virginia, Ohio, and Nevada that had been attacked by Maze threat actors. Of note, the name of one of their victims, Fairfax County Public Schools, was removed from their list of “clients” on their leak site after the media started reporting on FCPS’s breach. The removal of a name from a list may indicate that the victim changed their mind or wound up paying ransom.
Let’s look at three more districts today, starting with two school districts in New Jersey that have also been attacked with ransomware since school reopened this month.
On September 10 and 11, Karin Price Mueller reported that after one day of classes, the Somerset Hills School District closed down their schools because of an “unexpected network disruption” that was later reported to be a ransomware attack. The district does not seem to have updated its status this week, and they did not reveal what type of ransomware was involved.
While Somerset’s attack was in the news on September 11, there was another NJ district that had allegedly also been attacked, but it was not in the news. It appears that we probably need to add Millstone Township School District to any list you may be keeping. Threat actors known as “Conti” have claimed that they are responsible for the attack on Millstone Township School District. That claim was made on Conti’s dark web leak site on September 11.
Millstone Township School District is a relatively small district comprised of three schools covering pre-K through grade 8 (middle school). As proof of their claim attack, Conti uploaded 15 files. Those files relate to fairly routine district business. No personnel files containing sensitive information or files on students were included in the small data dump. These dumps are generally used to prove to victims that the attackers have data and if the victim doesn’t pay up, all of their files will dumped. It is often difficult for victims to determine exactly what or how much attackers were able to exfiltrate.
Because there has been no statement from Millstone on their web site about any attack nor any media coverage that I could find, DataBreaches.net sent an email asking them if they would confirm or deny Conti’s claims. No response has been received by time of publication.
Meanwhile, and as reported in the media today, Newhall School District in California canceled online classes yesterday and today after being hit with ransomware over the weekend. The type of ransomware was not disclosed.
These poor districts are no match for Maze. Some can’t even secure their own websites:
[link removed by DataBreaches.net] Millstone Township School District
[link removed by DataBreaches.net] – Somerset Hills School District
And they share login information like this:
“For 2020-2021 bus schedule information please click here
[link removed by DataBreaches.net]
Note:
· User Name is your child’s firstname.lastname with a period between the first and last name
· Password is your child’s date of birth in the following format mmddyyyy with no spaces or dashes
If you have any problems contact the Transportation Department at extension 7005