First day of school shut down by ransomware attack in Connecticut

Hartford Mayor Luke Bronin said the attackers did not make a specific ransom demand after shutting down systems for 40 schools.

Computer security and hacking concept. Ransomware virus has encrypted data in laptop. Hacker is offering key to unlock encrypted data for money.

Image: vchal, iStockphoto

The Hartford School District in Connecticut has become the latest victim of a ransomware attack, disrupting the first day of school for thousands of children. 

In a statement on the school district's website, administrators said they were informed by the city's Metro Hartford Information Services a ransomware attack caused an disruption of critical systems, and that on Tuesday, restoration of those systems had not been completed, forcing them to postpone the first day of school to Wednesday

"This includes the system that communicates our transportation routes to our bus company and it is preventing our ability to operate schools on Tuesday," the statement added, and during a press conference, Hartford Mayor Luke Bronin said system administrators discovered the problem on Saturday.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Bronin noted that the hackers had not actually asked for a specific ransom and only provided an email address to contact them. More than 18,000 students at 40 schools were affected by the attack but Bronin said no information had been stolen and that thanks to improvements made last year, government officials were not fully locked out of city systems. 

The attack went beyond just the school systems too, impacting 200 of the city's 300 computer servers as well as police department systems for report writing and video cameras. City officials are now working with the FBI to figure out the people who may have launched the attack. 

"We are often the subject of cyberattacks. This was, however, the most extensive and significant attack that the city has been subject to...certainly in the last five years," Bronin said at the press conference.

The situation highlights the precarious situation facing thousands of schools across the country that are kickstarting hybrid learning systems and are now heavily reliant on computers and devices to educate children in person as well as at home in light of the coronavirus pandemic. 

Another school district in the state was hit with ransomware attacks twice last year, prompting state officials to ask schools to beef up their cybersecurity.

Karen Walsh, a parent and cybersecurity compliance expert based in West Hartford, said school districts like the one in Hartford have had problems keeping up with the kind of security protocols that would keep them safe from an attack like the one that occurred this weekend. 

"As a parent, I've spent a lot of time discussing cybersecurity with my child's elementary school while also worrying about the vast amounts of data schools collect today," Walsh said. "Many school systems, such as Hartford, struggled to rapidly accelerate their infrastructure to meet student distance learning needs."

This year has been especially rough on school districts and administrators as they struggle to open their doors, both virtually and in person during this pandemic, said Erich Kron, security awareness advocate with KnowBe4. 

Like many other cybersecurity experts, he highlighted that cybercriminals likely knew the attack would put enormous pressure on school officials to pay a ransom and avoid the rage of parents. 

"Attacks like this serve to not only cause significant delays in opening, which is very frustrating to many, but also erode the public's trust in the modified school programs even further and the timing is unfortunate because of how many families are already struggling to deal with the online programs and schedules," he said. 

"The timing of this, on the cusp of a holiday weekend in the US, should not be considered accidental. Attackers have been attacking municipalities and school districts right before long weekends, as they count on staffing being minimal and response times being longer simply because people are away on vacation and unavailable to respond as quickly. Recovering from this will be especially difficult due to the additional workload already caused by supporting a virtual and an in-person opening and the modified school and transportation schedules."

According to Chester Wisniewski, principal research scientist at Sophos and an expert in ransomware, gangs continue to increase the sophistication of their attacks and enterprises are likely to continue to see targets being more strategically selected to maximize impact of their disruption. 

Wisniewski noted that it was not an accident that the attackers hit the school district on the first day of school. They likely knew that administrators and school officials would be pressured into fixing systems as quickly as possible due to the negative reaction from parents, which is precisely what happened. 

"We may see similar targeting around Election Day or the upcoming Christmas shopping holidays. It is heartening to hear that Hartford is not negotiating with the criminals behind this, and we hope this sets a new standard moving forward for others to follow," Wisniewski said.

Tips for schools 

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said most organizations do not separate computer systems by their function, meaning that end-user systems at highest risk of compromise, such as laptops and desktops, have direct access to "high value" server class systems.  

"It's easy to speculate that if the situation at Hartford School District was similar to this the damage from the attack may have been limited if they had firewalled off the transportation systems from other systems," he said.

It is still unclear how the Hartford School District was attacked but Wisniewski said based on previous attacks, it was likely the district was compromised through the exposure of a remote desktop protocol externally for remote management and either phished or previously stolen credentials were used in password stuffing attacks. 

Wisniewski added that all remote control and management tools need to utilize multifactor authentication and should be behind a VPN or only locally available. 

"Even if these tools are not externally exposed, multifactor should be used in all remote control situations, as it only takes compromising one PC to be 'on the inside,'" Wisniewski said.

Kron highlighted that ransomware is most often spread through phishing emails or remote access portals and that it was key for organizations to ensure that backups are tested and kept secure to help with the recovery of the encrypted files. 

Organizations need to look carefully at proactive measures such as the security controls related to their remote access options and ensure that employees are trained and tested in the art of spotting and reporting email phishing attacks before the ransomware can be launched and cause the damage, Kron said.

Piyush Pandey, CEO at Appsian, said the key for maintaining security during this time is to ensure that a "layered approach" is being used, including multifactor authentication, single sign-on, and sensitive data masking. 

Enterprises should maintain heightened levels of visibility over data access and usage, but this can be difficult with legacy applications, Pandey said, adding that all institutions should be aware that cybercriminals know their systems are under stress and are likely to leverage that stress to increase the likelihood of payment after a ransomware attack. 

Pandey added that the Hartford School District attack highlights why visibility into database level access is so vital because cybercriminals had 48 hours to be in the network before they were caught. 

"Understanding exactly what was accessed during that time will be challenging," Pandey said. "The true damage done may take a while to be uncovered." 

Also see