DataBreaches.net has become aware of yet another school district that fell victim to a ransomware attack.
The Frederick Public Schools in Oklahoma was breached a few months ago, but they had not yet disclosed the incident publicly as they have been working to recover from backups and to notify everyone who may have been impacted.
DataBreaches.net discovered the breach while exploring a new leak site on the dark web.
Today, DataBreaches.net spoke with Superintendent Shannon Vanderburg about the incident, and their response to the attack. The district did not and will not pay any ransom, he informed this site, even though their files were encrypted. At this point, he informs this site, they are back up and running, although in some cases they had to find and use older backups to restore from.
What is still in progress, however, is notifying everyone who may be impacted by the incident.
DataBreaches.net was able to inform the district where files had been dumped on the dark web for the taking, but is not linking to the dump or files. Although many of the dumped files concern routine district functions, many files contained personnel payroll-related information from 2018-2020 as well as vendor payment information. At least one file contained Social Security Numbers of district employees. In one case, a district employee seems to have uploaded her family’s federal tax return for one year, thereby exposing all her personal information as well as her spouse’s and children’s SSN.
None of the files that this site has reviewed so far contained master employee records system, but employees should probably take immediate steps to protect themselves from identity theft or the misuse of their information for fraudulent purposes.
Former and current employees may want to place a security freeze on their credit reports to prevent fraudsters from trying to open new accounts that might require a credit report check. The freeze can be easily removed if it is not needed.
There were also some files in the dump that contained some student names or information, and in one case, a disciplinary incident being investigated by police that named specific middle school students and provided parental phone numbers.
DataBreaches.net did not see any master student record system in the files that have been reviewed so far.
It is not clear to DataBreaches.net from the listing found on a relatively new leak site whether the threat actors have dumped everything they acquired and exfiltrated or if this is just a partial dump. DataBreaches.net has emailed the threat actors to see if they will share more information. Elsewhere, Michael Gillespie of ID Ransomware tweeted some information about the type of ransomware that may have been involved:
Vice Society (“.v-society”) == HelloKitty (“.crypt”) Linux #Ransomware using OpenSSL (AES256 + secp256k1 + ECDSA).
(Sorry can’t share samples due to victim confidentiality) pic.twitter.com/zJTu803m2C— Michael Gillespie (@demonslay335) June 10, 2021
“Vice Society (“.v-society”) == HelloKitty (“.crypt”) Linux #Ransomware using OpenSSL (AES256 + secp256k1 + ECDSA).(Sorry can’t share samples due to victim confidentiality)
Whether that also applied to Frederick Public Schools remains to be confirmed by the district, but they did acknowledge that their files had been encrypted.
Update of June 29: DataBreaches.net received a response from Vice Society, who informs this site that yes, they were responsible for the attack and are not just a site that lists incidents for others. They also confirmed what Superintendent Vanderburg had told this site that they had encrypted files. Importantly, perhaps, they replied that they had published all the data they had for the district:
We always publish all data if company does not pay or ignore us.
So maybe the district got off with a bit of luck that more wasn’t exfiltrated, but of course, that claim has not yet been confirmed by the district.