Throwback attack: A Thanksgiving ransomware attack shuts down Baltimore schools

As threat increases, college cybersecurity programs are more in demand
Courtesy of Brett Sayles

As people count down the days until Thanksgiving, it’s the perfect time to take a look at what happened around this time last year in Baltimore. A year and a half after the Robinhood ransomware attack on Baltimore’s government systems, the Baltimore County Public Schools (BCPS) were hit with another ransomware attack.

On the eve of Thanksgiving in 2020, this cyberattack hit all of the schools’ network systems, such as the district’s website, email and learning system, causing 175 schools to close down for students for two days and forcing school offices to close early that Wednesday. This meant that more than 111,000 students were unable to attend any online classes, which were the only available options due to the ongoing pandemic.

What happened?

In an unprecedented time, such as the pandemic, there were bound to be learning curves and adjustments that had to be made to go from in-person learning to completely online learning. Teachers not only had to create new lesson plans, but they also had to come up with inventive ways to keep students engaged in the material through a screen. What schools may not have accounted for were the vulnerabilities that were more exposed now that everything was online.

School officials learned of the malware Wednesday morning, after it was discovered on Tuesday night. The district turned to their social media accounts to confirm the cyberattack and warn people to not use their BCPS devices.

It was later announced that the district-issued Chromebooks and Google accounts were safe to use, but not the Windows-based devices. By the following Monday, the district shared a website that explained how to perform a confidence check on their devices. Any infected devices either students or staff had were to be handed in and replaced.

Who the attackers were and how much ransom they demanded remains private. The restoration of the schools’ networks is still ongoing, among other complications such as issues with payroll and timekeeping systems for employees. This wasn’t an open and shut case that had an immediate solution.

BCPS cybersecurity

There was a financial audit on the schools, days before the attack, that found the school system wasn’t safeguarding sensitive personal information and had serious vulnerabilities. According to an article from The Journal, the audit stated, “Significant risks existed within BCPS’ computer network. For example, monitoring of security activities over critical systems was not sufficient and its computer network was not properly secured. In this regard, publicly accessible servers were located in the BCPS internal network rather than being isolated in a separate protected network zone to minimize security risks.” The audit found that 26 “publicly accessible” servers were located within the internal network and that “network resources were not secured against improper access from students using wireless connections and high school computer labs.”

However, the district should have known about these problems months before the attack when Sean Gallagher, a senior threat researcher at Sophos, found an exposed domain controller, among others, that was running the vulnerable version of a Windows program. He reported his findings to a county spokesperson but didn’t hear back. Gallagher also observed that K-12 school systems were particularly vulnerable to ransomware “because of budget and talent constraints to their IT operations.” He said, “It will require thoughtful restructuring of how districts’ networks are configured to prevent further attacks such as these, and a defense-in-depth approach that includes every device students and teachers connect to the network with,” according to the same article from The Journal.

Why shouldn’t BCPS pay?

One of the biggest reasons people may not report a cyberattack is that their reputation is on the line. A ransomware attack could lower customers’ trust in the company, damage business relationships and leak private company data, hurting employees. Bringing a cyberattack into the public eye can also dictate the outcome, which is why even now BCPS officials are reluctant to give a lot of details about what happened.

When a large number of schools are shut down, their main priority is to get back up and running, so kids don’t fall behind and are able to continue learning; however, a school cannot just pay the ransom, especially once an attack is made public. If schools or companies did pay, even with good intentions, it could further the attackers’ agenda. Not only would the threat actors “win” the encounter, but they would also have the funds to potentially go after others.

Some people might think, “Why not attack bigger tech companies instead of schools?” The reality is schools are easy targets. Cybercriminals see schools as opportunities and want to take advantage of them. Schools are easier to attack than bigger businesses that have complex cybersecurity and money to develop more protection. Most schools haven’t ever focused on cybersecurity.

Increasing ransomware attacks on schools

This isn’t the first time schools have been hit with a cyberattack. For instance, Fairfax County, Virginia, was targeted in October 2020. Only one month before the attack on the BCPS, cyberattackers stole personal data and published it on the web. It is becoming more and more common for schools to be hacked. While Fairfax Country classes weren’t shut down, they did lose community data to a criminal cyber organization called Maze group, according to a report in The Washington Post.

According to the same article, Brett Callow, a threat analyst with Emsisoft, said in an email that the scale and severity of ransomware attacks are on the rise. “These incidents are becoming increasingly common and increasingly serious with the average demand having increased from about $5K in 2018 to $150,000 to $250,000 today. Multimillion-dollar demands are becoming ever more commonplace. So far this year, at least 63 U.S. school districts and colleges have been impacted by ransomware, impacting learning at up to 1,302 individual schools.”

The aftermath

The district has had to pay for a wide range of programs, services, trainings and licenses that have helped Maryland’s third-largest school system respond to and recover from the attack. The total cost, as of November 2021, is almost $9.7 million according to an article from WYPR. Only $2 million will be covered by insurance, and the case remains under investigation by the FBI.

The takeaway from this is to invest in cybersecurity before being attacked. A lot of cyberattacks can be prevented by being vigilant about updating systems and addressing known vulnerabilities. Cybersecurity isn’t at the top of most people’s list of priorities until it is too late, and by then, they are reacting to the threat and trying to minimize the damage.

Mitigating risks and vulnerabilities will make it harder for hackers to find a way into a system and may deter them if it isn’t their easiest option. Hopefully, more people can learn from this ransomware attack and be able to mitigate their risks for future intrusions, which will allow everyone to have a happy and safe Thanksgiving from now on.




Keep your finger on the pulse of top industry news