May 19, 2021 was supposed to be just another day at the end of the school year at Sierra College, a community college in Rocklin, California. Instead, hackers hit the school with ransomware, throwing it into chaos.
“We are experiencing a major cybersecurity event this morning that is impacting the majority of services at Sierra College,” Tom Benton, the school’s chief technology officer, wrote in an email to all staff, which Motherboard obtained through a Freedom of Information request. “Several people are reporting ransomware screens on their computer screens to encrypt data. If the message is seen on a computer screen please unplug the computer from the network and do not use the system until further notice.”
Videos by VICE
Sierra College was just one of 1,043 schools and colleges—part of 62 school districts and the campuses of 26 colleges and universities—hit by ransomware hackers in 2021, according to Emsisoft, a cybersecurity company that tracks ransomware incidents. The company reports that, so far in 2022, there have been 27 districts with 1,735 schools hit with ransomware.
“Attacks on schools are commonplace for one very simple reason: they’re profitable. Like legitimate businesses, when cybercriminal enterprises hit on a strategy that works well, they’ll repeat it over and over,” Brett Callow, a security researcher at Emsisoft, told Motherboard. “The only way to stop attacks on the education sector is to make them unprofitable, and a big part of that requires bolstering security in schools so that they don’t need to pay.”
Vice Society (no relation to VICE Media), a notorious ransomware gang, has taken credit for nine ransomware hacks against U.S. schools this year, including one earlier this month that hit Los Angeles Unified School District, the second largest district in the United States. The hackers are threatening to release files related to the hack at the end of this week.
“This means that there will be no computer or network access available until further notice.”
Sierra College holds the dubious honor of having been on both years’ lists. In August of this year, two days before the beginning of the fall semester, the college was hit by another ransomware attack, though this one had a limited impact, and just two days later most systems were back up online.
Motherboard filed Freedom of Information requests with 52 public schools, school districts, and colleges for emails and communications related to the ransomware attacks. The documents obtained give an insight into how schools dealt with these incidents: alert staff, put a stop to classes, engage forensic and legal services, sometimes suspend computer and internet access, and attempt to restore normalcy as soon as possible.
It took more than two weeks for Sierra College to clean up the damage and have most of its systems back up and running. In the meantime, school officials sent regular emails updating staff about the progress in remediating the attack.
“Every Sierra College employee and student will be asked to play an important role by resetting their password once systems become available,” read another email from Benton.
Instead of paying the ransom, the school decided to replace the encrypted hard drives, ordering 300 new hard drives for a total of $18,667.94, according to the emails.
Are you part of a ransomware group? Or do you track ransomware hackers and their activities? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com
Corry Area School District in northwestern Pennsylvania had to make the same decision, as “the district IT staff along with the local police and an outside agency investigated the issue and concluded that the data is not restorable from the servers,” according to emails obtained by Motherboard. “This means that there will be no computer or network access available until further notice.”
The aftermath of the hack at Sierra College was chaotic.
“I’m doing a presentation on the Chancellor’s Office webinar this morning. Hopefully it doesn’t pop up on my screen! Lol,” Willy Duncan, the president of Sierra College, wrote to Benton on the day of the hack, referring to the ransomware request screen. “Scary stuff, it’s been happening so often lately across so many businesses.”
Two days later, a student emailed Benton asking for help after their computer started “acting funny” and they couldn’t log into his college account.
“If I could remember how I reset my password, I’d tell you.”
Benton emailed a colleague asking her to follow up with the student and “confirm the current cybersecurity issue we are experiencing is not transmitted to other computers unless they are District computers on our network and on campus.”
“The last thing we need is people to start blaming their personal PC issues on our cyber attack,” Benton wrote.
A couple of weeks after the attack, John Deaderick, a professor, emailed Benton saying he was able to update his password without having to use two-factor authentication.
“I’m interested in understanding how you were able to reset your password without having a device available to get the pin # required to reset your password,” Benton responded.
“Thank you Tom. If I could remember how I reset my password, I’d tell you,” Deaderick said.
“Lol! Fair enough,” Benton quipped back.
Ironically, the hack on Sierra College happened just a couple of weeks after Benton emailed a listserv of chief information security officers working in the education sector, asking if anyone had recommendations for mandatory cybersecurity courses for staffers.
How the Cloud Can Stop Ransomware
The ransomware attacks did not impact all schools the same way. For example, when hackers infected the systems of Victor Central School District in New York, they did force the school to close, but several of the school’s systems were not impacted because they were hosted on cloud-based systems, and other systems were backed up and so relatively easy to restore, according to internal emails.
Still, after the attack, Kelli Eckdahl, the director of the school’s educational technology wrote in an email that the “District is completely disconnected from the Internet, cannot bring back up until it’s clean and state says ok (they will ask us), we have to do things in a certain order to ensure it’s clean.”
“At this point, any machine that connects to district network will become infected – we have disconnected all machines in district to prevent any additional spread,” Eckdahl wrote. “Everything has been disconnected to the network and will need to be wiped out and reinstalled upon verification of clean data.”
Relying on cloud services, or using Chromebooks that are essentially machines that only run a browser, are ways schools can avoid severe damage when hackers hit. Another is to have backups that are on a separate network, meaning they don’t get hit when ransomware infects the other machines. That’s what happened to Affton High School in Missouri, which didn’t even have to consider paying hackers given that their backups were not impacted by the ransomware.
Requests Denied
Unlike Sierra College, Victor Central School District, and the Corry Area School District, some other public schools denied Motherboard’s FOIA requests.
Some, like Logansport Community School in Indiana, and Mesquite Independent School District in Texas argued that “all of the information at issue consists of information that was created to mitigate a cybersecurity incident. Release of the information could and would afford future threat actors the means by which to mount future ransomware attacks against the District and will subject the District to further scrutiny and potential targeting by threat actors and as such is not subject to disclosure.”
A representative of the Hazleton Area School District in Pennsylvania denied the FOIA request citing a part of the state’s Right To Know Act that excludes some documents from disclosure such as “documents or data relating to computer hardware, source files, software and system networks that could jeopardize computer security by exposing a vulnerability in preventing, protecting against, mitigating or responding to a terrorist attack.”
Another school district, the Manhasset Union Free School District, denied the request to release documents alleging that the documents are exempt because “disclosure would interfere with law enforcement investigations.”
Several others, such as Allen Independent School District in Texas, the Union School District in Iowa, and Whitehouse Independent School District, in Texas argued that they couldn’t release the documents because all communications about the incident were protected by attorney-client confidentiality given that the school cc’ed a legal firm in emails about the ransomware attack.
“The public should be able to know what is happening in these schools and how it’s affecting them.”
These denials leave a gap in transparency and the public’s understanding of the way schools have had to deal with ransomware attacks.
Adam Marshall, the senior staff attorney at the Reporters Committee for Freedom of the Press, and an expert in FOIA requests, said that this is a common practice that can be legitimate, but it has also been abused so that government entities “can later argue that those communications are privileged.”
“Simply copying a law firm on emails is not enough as a general matter to establish the attorney-client privilege,” Marshall told Motherboard in a phone call, explaining that the communications that could be protected can only be those related to “obtaining legal advice or legal services.”
Knowing how ransomware is hitting and affecting schools “is immensely important for the public to know more about, for the parents in these jurisdictions to know more about, for the students in these jurisdictions to know more about,” Marshall said. “The public should be able to know what is happening in these schools and how it’s affecting them.”
Moreover, Marshall added, even if the communications are indeed protected by attorney-client privilege, the government organization involved can still decide to disclose and publish the relevant documents, it is at the discretion of these entities.
In the case of Sierra College, the school did not claim this privilege, and released several emails that detail how the school dealt with the ransomware attack that almost paralyzed it for days.
Roughly two weeks after getting hit by ransomware, Sierra College came back online.
“This week we restored most of our systems and are getting back to our focus on teaching and learning,” the school wrote in a statement. “This was an attack directed at our networks and impacted several servers as well as hundreds of desktop computers. As part of the attack, some information was encrypted by malicious software, malware, that limited our access to important information. Through multiple processes we now have access to most of that information and have been able to bring most services back online.”
Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.