The Havre Public Schools superintendent learned via a phone call early Tuesday that ransomeware had hacked and “crippled” the school district’s computer system.
“We’ve got something bad,” said the voice on the other line — a district staff member — at 6:30 a.m.
Superintendent Andy Carlson soon learned that Ryuk ransomware was holding the district’s computer data system hostage.
Despite the major scare, it would eventually be concluded the hackers did not gain access to student and employee information.
As it became clear early on they were dealing with something very serious, district leaders contacted cyber-tech experts, insurance companies and the software support teams responsible for maintaining the employee and student information databases, as part of the overall effort in handling the massive problem. Carlson said they also notified the FBI.
Carlson said school officials, on expert advice, disconnected “everything with a blue cord” — including every computer, telephone, and printer in every district building.
Although the schools still functioned and doors still opened, Carlson said during the crisis, district staff and administration defaulted to using personal cell phones, personal emails and hot-spotting their laptops.
Ransomware is malicious software — also known as malware — that denies access to a computer system or data until the victim pays a ransom. It usually spreads through phishing emails or when someone unknowingly visits an infected website, according to the U.S. Department of Homeland Security.
How much money did the attackers demand?
The long-time superintendent said he didn’t know the precise number. But the amount was so outrageously beyond the district budget that an exact number was irrelevant.
“They’re talking tens of millions of dollars,” Carlson said Friday afternoon, adding that Ryuk wanted the ransom paid in Bitcoins.
The amount Carlson cited is high, even for this particular cybercrime group. According to LMG security, a Missoula-based cybersecurity group, groups such as Ryuk have been associated with demands in the $100,000 range. Dark Reading, a leader in cybersecurity news, reported the average initial ransom demand from Ryuk attacks tallied $377,000 during the third quarter of 2019.
Ryuk appeared on the Internet scene in 2018. The malware identifies and encrypts network drives and resources and deletes shadow copies on the end point, or devices such as laptops, tablets, printers, or mobile phones connected to a network. The attackers can disable the “restore” option for users, making it impossible to recover from the attack without external back-ups.
There was no indication the attackers knew anything about their Montana victims.
“We were not a target,” Carlson said. “Everyone is a target.”
Throughout the “stressful week,” Carlson said he learned that Ryuk is most likely connected to Russian organized crime.
Experts believe Ryuk is most likely the work of Russian actors. It’s credited with wreaking havoc on several victims. In December 2018, the Ryuk ransomware is believed to have caused printing and delivery disruptions for several major U.S. newspapers. Using the malware, the cyber criminals reap millions of dollars from users locked out of crucial files and systems.
Fortunately, the Havre Public School system maintains back-up systems.
“Our backups never got touched. That’s beyond good,” Carlson said, visibly relieved.
The school’s data system was incrementally brought back — and by the end of the week, the district was reset to Feb. 2, the Sunday that kicked off the tumultuous week, Carlson said.
“We’re turning on switches little by little,” he added.
Overall, Carlson said the district permanently lost 20 hard drives and some archival data unrelated to employee and student information, emphasizing a crucial point.
“We have no reason to believe at this time that any student or employee information was compromised,” Carlson said. If that were the case, he added, the public would have to be notified.
Carlson said they don’t know exactly how the malware infected the district website. Chances are district officials will never know. He suspects, however, that the Ryuk ransomware infiltrated the district system through one email and spread to more emails. It marked the first time the district was hit by an attack of this magnitude, Carlson said.
In response to this scare, district leaders have since added some extra tools to help it fend off future attacks. They have implemented end-point detection and response technology, which monitors device and network activity and records the information in a central database for analysis, detection, investigation, reporting, and alerts.
By Friday, all district systems except for the computers in the district’s administration building, the Robins Administration Building, were back up and running.
Carlson still hadn’t turned on his computer. He was still a little leery about doing so.
“I’m scared when I turn my computer on,” he said.
One thing he’s sure about is a barrage of emails awaits. One of those emails is from The Havre Herald, as we attempted to reach him for days for information about the incident.
Although visibly relieved, Carlson was reluctant to claim complete victory.
“It’s never over,” he said, implying the potential for future insidious cyber attacks.
The week was stressful, but fortunately, “We 100% had a plan.”
Update Feb. 13: Carlson said the computers at Robins have also been turned on the system is functioning the way it’s supposed to be.
Write to Paul Dragu at firstname.lastname@example.org
Do you appreciate this news story? Subscribe to a Herald membership and help independent journalism continue. We can’t do it without your support.