IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Missouri School District Confronts Ransomware Without Paying

A ransomware attack caused a disruption last week for Park Hill School District in Kansas City, Mo., but the district opted to work with the FBI and recover on its own using backups instead of paying the ransom.

Ransomware attack, binary code
(TNS) — Park Hill officials confirmed Tuesday that a ransomware attack was the cause of the major system outage that forced the school district to cancel classes early last week.

Park Hill's computer systems locked up on the morning of Sunday, March 21, and officials noticed that someone had encrypted several files to try to force the district to pay a ransom, said Derrick Unruh, director of technology. He said ransomware likely got into the district's systems when a student or staff member clicked on an infected link in an email or website, compromising their username and password.

"Fortunately our system backups were fully secured and protected in the outage, so we decided to move forward with recovery on our own rather than pay the ransom," Unruh told the school board at its meeting last Thursday. District officials previously declined to disclose most details of the incident, including that it was a ransomware attack.

The district turned to national experts and the FBI to investigate. Such attacks on K-12 schools have been skyrocketing in recent years, including during the COVID-19 pandemic, when a district's digital infrastructure has become more crucial than ever.

"This is not over," said Paul Kelly, Park Hill's assistant superintendent for business and technology. "And so we are still in the investigation mode. And I would anticipate it to take weeks or months for us to ... review the data and then for us to use that information to continuously improve and fortify our systems further."

Park Hill was forced to cancel school on Monday and Tuesday last week. Many students were on the bus on their way to school before the cancellation was announced Monday. It was supposed to be the first day that middle and high schoolers would return to classrooms full time since the beginning of the pandemic.

Officials said they were pleased with the quick response to the outage and recovery effort, which allowed students to return to school last Wednesday. All students and staff members were required to change their passwords, among other steps.

"We want to acknowledge the seriousness of this event," said Jeanette Cowherd, superintendent of the district, in Platte County. "This was a major event and a major attack on our infrastructure."

Unruh said officials have found no evidence of data being stolen. He said the Secret Service and FBI agents confirmed that stealing data was likely not the intent of the attack.

That's a major relief for school officials, as well as parents and students, considering hackers are known for stealing and selling data during ransomware attacks. Officials have said that the district's security systems prevented unauthorized access to personal information.

Unruh said that several of the district's computer systems were affected, but he would not name specifics due to safety concerns. He said the district has more than 300 different systems used for operations. They include systems for learning management, finance, video surveillance, classroom intercoms, door access control and wireless connectivity.

By Tuesday of last week, he said most of the systems were restored and fully operational. On Thursday, the district was continuing to repair some final systems and determine whether there were any potential threats to the district's cybersecurity, he said.

"Based on our evidence, we did not find any persistent threats in the network," he said.

Bridget Patton, a spokeswoman for the FBI in Kansas City, said she could not comment on the ongoing investigation.

Nationally, the FBI warned last year that K-12 schools should expect a surge in ransomware infections during remote learning.

A joint advisory issued by the FBI and cybersecurity agencies reported that in August and September last year, 57 percent of all reported ransomware cases involved K-12 schools, up from 28 percent from January through July.

A ransomware attack in Baltimore County in Maryland forced schools to cancel classes for five days around Thanksgiving, according to The Baltimore Sun. Also last fall, personal data was stolen from Toledo Public Schools in a similar attack, news outlets reported. And earlier this month, Buffalo Public Schools in New York faced a ransomware attack, The Buffalo News reported.

The FBI has warned that hackers target schools because of their increased use of technology and sometimes limited resources for cybersecurity protections. Park Hill officials said they were grateful to have invested in enhanced security and technology in recent years, and will continue to explore improvements to the system.

The district in Kansas City's Northland had a K-12 enrollment of just under 12,000 students and 1,800 teachers and staff members.

(c)2021 The Kansas City Star (Kansas City, Mo.) Distributed by Tribune Content Agency, LLC.