Ransomware assault closes Baltimore County public faculties


Baltimore County, Md., Public schools remain closed on Mondays and Tuesdays as officials respond to a cyberattack that forced the district to cancel distance learning for its 115,000 students just before Thanksgiving.

The attack, which was first spotted late Tuesday evening, affected the district's websites and distance learning programs, as well as its rating and email systems, officials told WBAL-TV.

Schools were closed on Wednesday, a day earlier than planned for Thanksgiving. On Saturday, the district announced on Twitter that courses on Monday and Tuesday would be closed for two more days due to "the recent ransomware attack".

On Sunday, the district announced on Twitter that while the Chromebooks it was giving out to students would be closed, the Chromebooks would be safe to use, as would school-linked Google accounts. The district said students should not use Windows-based devices that they released "until further notice."

At a press conference on Wednesday afternoon, officials could not say when school would start again. "We don't currently have a schedule," said Dr. Darryl L. Williams, the superintendent.

Kathleen S. Causey, chairman of the Baltimore County Board of Education, said the situation was "very worrying". The students, she added, "trusted us to provide education and other opportunities". Officials declined to provide details of the attack, including the claims that were made.

The Baltimore County district began the 2020-21 school year with all students studying from a distance – a period of "virtual teaching" that the district said would last at least until January. Thereafter, the district said it expected to "take turns" offering a "hybrid" plan that included face-to-face tuition for "targeted students" several days a week. The district would also allow students to continue studying if they prefer.

The coronavirus, which can easily spread when people gather indoors, is leaving students and educators with little time to prepare for distance learning.

The digital infrastructure that enables remote learning is increasingly viewed as a target for cyberattacks. Schools store more data online without elaborate plans to protect that data and face public pressure if that data is compromised, said Reuven Aronashvili, the founder and CEO of CYE, a cybersecurity company.

Local governments, and schools in particular, are "quite low in cybersecurity maturity," Aronashvili said in an interview.

The cyberattacks schools are exposed to are increasingly ransomware attacks where users are locked out of their data by an unauthorized person who promises to unlock the data if a ransom is paid.

This was done with the Baltimore County's public schools, according to Jim Corns, the district's executive director of information technology. At last week's press conference, he said the district's data had not been stolen or released, but locked in a way that prevented school officials from operating.

"This is a ransomware attack that encrypts data while it is, rather than accessing it or removing it from our system," Corns said. "So we're using this as a ransomware attack."

Mr Aronashvili said ransomware "works primarily with print elements."

"If you can apply enough pressure, someone pays," he said. "In the end, that's the entire business model."

Financial data at banks, for example, is usually tightly secured and their owners usually have well-established rules against paying ransom, Aronashvili said. Local governments and schools typically have a lot of personal information and less elaborate plans to keep it secure or to ward off attacks, he said.

Attackers noticed.

At least 44 school districts have reported ransomware attacks so far this year, according to Cybersecurity Resource Center K-12, which tracks incidents in schools across the country. Last year there were 62. In 2018 there were only 11 reports.

Doug Levin, the center's founder, said he expected 2020 to end with roughly the same number of ransomware incidents as 2019. He warned that the data may not include every attack as there is no single standard for reporting cybersecurity incidents across school districts.

"Since the pandemic, learning stops when a school district experiences an incident," Levin said. "It is this loss of resilience that Covid has brought to light."

At last week's press conference, Baltimore County Police Department chief Melissa R. Hyatt declined to provide details of the investigation, but said local, state and federal agencies would help.

On Wednesday, almost 10 hours after the school district confirmed the ransomware attack on Twitter, the F.B.I. The Baltimore field office said it was aware of the incident but declined to comment.

On Sunday, a Baltimore County police spokeswoman referred questions to the county school officials. Messages to school officials were not returned immediately.