Texas School District Pays Ransom to Regain Access to Files

Port Neches-Groves schools paid an undisclosed amount via bitcoin to a suspected overseas cyberattacker who encrypted millions of the district’s files and issued a four-day deadline to respond to the criminal demands.

by Isaac Windes, Beaumont Enterprise / November 20, 2019
Shutterstock

(TNS) — Port Neches-Groves ISD in the Beaumont, Texas, area paid an undisclosed amount of money via Bitcoin to a suspected overseas cyberattacker who encrypted millions of the district’s files and issued a four-day deadline to respond to the criminal demands.

Bitcoin is a virtual cryptocurrency that can be used to buy products and services.

Daniel Fontenot, the director of information services, safety and homeland security for the district, said information technology staff had gained access to almost all of the files as of Monday morning.

“Our whole business and student section is looking good and is up and running,” Fontenot told The Enterprise. “Of course, we could always go backwards, but so far what we have seen working through the night and the weekend is that we are pretty close to about 95 percent utility back.”

School district officials declined to release the exact ransom price, but Fontenot said it was “up there.” The price was negotiated by the district’s insurance company, he said.

While the computer access is being returned, a cybersecurity team retained by the district is doing a thorough analysis of the district’s physical computers and network.

“We are actually touching every computer in the district to try and look at them,” Fontenot said.

A message received by the district on Tuesday morning last week, which investigators believe came from overseas, gave the school a deadline to gain access to the files.

“The letter gave us a timeline of four days to respond for the key and a price,” Fontenot said. “We received the key and began preparing our network for cleaning and decryption.”

As the file access is returned, district officials are still investigating how and where the attackers got into the system. One possibility, Fontenot said, was a fake Google Chrome logo that was found on one of the district’s computers.

“We had found one of those and we are still checking into that,” he said. “Anything we see that’s not the lower core system, that is what we are trying to collect and turn over to this company, saying, ‘We haven’t seen this. I wonder if this has anything to do with it.’”

Moving forward, the district is looking to implement new preventative measures to stop similar attacks in the future.

“We have a few getting ready to install now. One of those is a program to pretest email on the URL side, which would help prevent any of those viruses from coming in,” Fontenot said. “There are a lot of other things we are looking to put in, and different procedures along with that.”

Fontenot said the district staff worked through the weekend to regain access.

“There were so many people helping out here,” he said. “Without this amount of people we wouldn’t be back in this amount of time for sure.”

The attack comes just months after more than 20 government agencies in Texas were attacked by similar ransomware, highlighting the increasing danger of this type of attack.

“Whether you work for a school district, other government entities, the private sector, or are just using your home computer, the threat of some form of cyberattack is very real,” Texas Department of Information Resources spokeswoman Christy Brisky said.

Brisky called ransomware is a “crime of opportunity,” and said “attackers will look for a weakness and use that weakness to commit their crimes.”

All school districts, and government agencies can do more to prevent attacks.

Experts who spoke to the Enterprise after the attack last week said the decision to pay or not is a “Catch-22.”

Kierk Sanderlin, head of engineering for the Israel-based Check Point software company said victims have to weigh the cost of decrypting the infected files, potentially “tens of millions of dollars,” against the cost of simply paying “a couple hundred thousand dollars in ransomware in Bitcoin.”

But paying off the criminals “fuels the fire,” Sanderlin said.

“We’ve seen a tremendous increase in ransomware attacks against school districts,” he said.

For individual staff and students, the Department of Information Resources recommends keeping all software patches and anti-virus tools up-to-date, creating strong passwords and changing them regularly, and enabling multi-factor log-ins.

The department also recommends PN-GISD modernize legacy systems across the district, limit the granting of administrative access and perform regular, automated backups.

Fontenot said that the district “had a system backup structure in place, along with fire wall protection and virus software.”

©2019 the Beaumont Enterprise (Beaumont, Texas). Distributed by Tribune Content Agency, LLC.

Platforms & Programs