The Rockville Centre School District has paid $88,000 to restore data that was lost in a July 25 ransomware attack, officials said. The district was one of two in Nassau County that was targeted by a virus that encrypts data, preventing users from accessing their files. School records were held hostage until payment was received in mid-August.
Most of the payment was covered by the district’s insurance, and was necessary to restore data files throughout the district, according to Superintendent Dr. William Johnson. The district, he said, was attacked by the Ryuk virus, which was discovered the morning of July 26 by Director of Technology Mike Anderson.
Anderson acted fast to stop the virus from further infecting district files, according to Johnson. “He recognized there was a problem with email and shut down the entire system immediately,” the superintendent said. “By acting as quickly and thoroughly as he did, he was able to limit the damage to our data files and emails.”
After learning of the attack, Johnson said, officials reported it to local police, the U.S. Department of Homeland Security and the FBI, and contacted the district’s insurance carrier.
“All communications were re-established and fully operational by Monday, July 29,” said Johnson, noting that the student management system was un-touched. “Our financial management system had been encrypted, but we were able to restore our data from a backup.”
He said that a team of technology specialists worked to “clean and reimage every desktop and laptop” in the classrooms and offices throughout the district. He and Anderson “worked for 19 days straight” to resolve the problems. As of now, Johnson said, systems including security, food service and transportation have been restored, and the recovery of historical data and email is nearly complete.
“Recovery of these files and emails requires an extensive cleansing process that ensures no file or email has a virus attached to it,” Johnson explained. “While this is a slow process, we expect to have our files by the opening of school and most of our emails soon after that.”
While the district has firewalls and anti-virus software, Johnson said, “This particular virus was able to evade detection.”
“We’re not the only targets here,” he added. “These people are very skilled at what they do, even though we put barriers in place to prevent them.”
Several large governments and schools across the country have been crippled by ransomware, malware that targets data and systems for extortion. The virus is delivered through targeted phishing emails, and news outlets have reported that the malware is believed to come from Eastern Europe.
After discussions with the local police departments and Homeland Security, Johnson said he believed it was possible that the virus entered the district’s system as early as March and lay dormant until late July.
“Neither agency, however, had a decryption tool that would effectively enable us to restore our data,” he said, adding that no other aid was offered.
The Mineola School District was also targeted by the same ransomware virus, but was able to avoid paying a ransom because the district had taken its backup offline during the summer, so it was disconnected from the system at the time of the attack.
“Unfortunately, this is something that is happening more and more frequently,” Nassau BOCES District Superintendent Robert Dillon said. “Throughout our country, government and education sectors are being targeted very directly by various [Distributed Denial of Service], malware and ransomware such as Ryuk.”
Dillon said that the attacks often happen when an employee unwittingly opens an email attachment or clicks on a link, unaware that it contains a virus.
“Typically, these infections come in the form of seemingly benign emails with a link or an attachment that, once opened, will infect an IT network or system,” he said. “Malware such as Emotet can lie dormant on networks and systems for months before an attack. At this point, critical credentials are often collected from elevated accounts and systems. These credentials are used to spread the malware across networks. Then it deploys, locking out important files and blocking user access to accounts.”
Dillon explained that once malware such as Emotet spreads and the delivery of a virus or ransomware is complete, the impact on systems can vary, but is always serious.
“Ransomware encrypts files on various systems in hopes of collecting ransom from the infected party. Once the ransom is paid, the party is given a decryption key to ‘unlock’ their files,” Dillon said. “Oftentimes, if the ransom is not paid, systems must be decommissioned, cleaned and in many cases rebuilt. This process is costly and very intrusive for the infected organization.”
According to Johnson, the ransom demand was reduced from the initial request of $176,000 to $88,000 because the district was “able to shut down the cyberattack early in the encryption
The district was required to pay a $10,000 deductible, and the rest of the ransom was covered by its insurance policy. Johnson said there would be no impact on local taxpayers. since deductibles are budgeted. He also stressed that paying the ransom was a “difficult decision” that was ultimately unavoidable.
“Many of our files would not have been recovered without paying the ransom,” he said. “In addition, there was no guarantee that email records could be recovered in a timely manner, which could cost a couple hundred thousand dollars. What really turned the corner was when we realized we would not be able to recover student files.”
Johnson said that many high school students’ projects might have been lost, and the district did not want to risk losing files that students might need this school year or for college applications. Once the ransom was paid, he said, the decryption tool was provided “within the hour.” The priority now, he said, is for the district to find a more robust backup system to avoid further intrusion, if possible. The Board of Education and administration will work with cybersecurity experts, the FBI and Homeland Security over the next few months to secure a more effective antiviral and backup system.
While the virus caused some glitches over the summer, Johnson said the district is prepared for the return of its roughly 3,500 students, and a “seamless start of school” is expected next week.
“Thank God this happened over the summer,” he said. “We are fully operational, and expect no interruption to the start of school.”
The next Board of Education meeting is on Thursday, Sept. 5, and residents are expected to raise the matter with school officials.