LOS ANGELES — A ransomware attack targeting the sprawling Los Angeles school district has caused an unprecedented shutdown of its IT systems as schools find themselves increasingly vulnerable to cyber breaches at the start of a new year.
The attack on the Los Angeles Unified School District has raised alarm bells across the country, from urgent talks with the White House and the National Security Council after the first signs of ransomware were discovered late Saturday night to word changes from mandatory passes for 540,000 students and 70,000 district employees.
Although the attack used technology that encrypts data and will not unlock it unless a ransom is paid, in which case the district superintendent said no immediate demands for money were made. made and schools in the nation’s second-largest district opened as scheduled on Tuesday.
Such attacks have become a growing threat to American schools, with several high-profile incidents reported since last year as pandemic-forced reliance on technology increases the impact. And ransomware gangs have in the past planned major attacks over US holiday weekends, when they know IT staff will be reduced and security experts relax.
While it wasn’t immediately clear when the LA attack began — officials only said when it was detected and a district spokesperson declined to answer further questions — the discovery from Saturday night reached the highest levels of the federal government’s cybersecurity agencies.
According to a senior administration official, this model of support was consistent with the Biden administration’s efforts to provide maximum assistance to critical industries impacted by such violations.
The official, who spoke on condition of anonymity to discuss the federal response, said the school district did not pay a ransom, but would not go into detail about what may have been stolen or damaged and on the systems affected by the breach.
The White House’s response to the Los Angeles incursion reflects growing national security concern: A Pew Research Center surveyreleased last month, found that 71% of Americans say cyberattacks from other countries pose a major threat to the United States
Authorities believe the LA attack originated internationally and have identified three potential countries where it could have originated, although LA Superintendent Alberto Carvalho did not specify which countries could be involved. Most ransomware criminals are Russian speakers who operate without interference from the Kremlin.
LA officials did not identify the ransomware used.
“It was an act of cowardice,” said Nick Melvoin, vice president of the school board. “A criminal act against children, against their teachers and against an education system.”
So far this year, 26 US school districts – including Los Angeles – and 24 colleges and universities have been affected by so-called ransomware, according to Brett Callow, ransomware analyst at cybersecurity firm Emsisoft.
With victims increasingly refusing to pay to have their data unlocked, many cybercriminals instead use the same technology to steal sensitive information and demand extortion payments. If the victim does not pay, the data is dumped online.
Callow said at least 31 of the schools affected this year had data stolen and posted online, and noted that eight of the school districts had been affected since August 1. The upsurge in schools at the end of the summer holidays is certainly no coincidence, he said. .
“It’s the No. 1 threat to our safety,” said Los Angeles Police Department Chief Michel Moore. “He is an invisible enemy and he is tireless.”
Tireless – and expensive, even outside of any monetary demands. A ransomware extortion attack in Albuquerque’s largest school district forced schools to close for two days in January, while the city of Baltimore’s response to a 2019 hit on its computer servers cost more than $18 million.
The Los Angeles attack was discovered around 10:30 p.m. Saturday when staff first detected “unusual activity,” Carvalho said. The perpetrators appear to have targeted facility systems, which involves private sector contractor payment information – which is publicly available via records requests – rather than confidential details such as payroll, health and other details. other data.
He said district IT officials detected the malware and stopped it from spreading, but not before it infected key network systems, requiring passwords to be reset for everything. staff and students.
Authorities rushed to track down the intruders and limit potential damage.
“We basically shut down every single one of our systems,” Carvalho said, noting that each had been checked and all but one — the facilities system — restarted late Monday night, when the district first informed the public of the cut.
On Tuesday, federal authorities separately warned of possible ransomware attacks by the criminal syndicate known as the Vice Society, which allegedly disproportionately targeted the education sector.
Authorities have not said whether they believe Vice Society was involved in the Los Angeles attack, and the group did not respond to a request for comment on Tuesday.
“The fact that a joint cybersecurity notice regarding Vice Society was released days after the LAUSD attack was discovered may be telling, especially since this gang has frequently targeted the education sector in the United States. States and the United Kingdom,” said Callow, the ransomware specialist.
The Vice Society first emerged in May 2021, and rather than a single variant, it used ransomware widely available in the Russian-speaking metro, according to security researchers. Among the victims claimed by Vice Society are the Elmbrook School District in Wisconsin and the Savannah College of Art and Design.
Ransomware gangs routinely disband after high-profile attacks such as last year’s Colonial Pipeline incident, which sparked runs at gas stations. Their members are then reconstituted under new names.
Amid pressure to cancel school in Los Angeles on Tuesday, authorities ultimately decided to stay open.
If the activity had not been discovered on Saturday evening, Carvalho said there could have been “catastrophic” consequences.
“If we had lost the ability to operate our school buses, over 40,000 of our students would not have been able to get to school, or it would have been a very disrupted system,” he said.
The district plans to do a forensic audit of the attack to see what can be done to prevent future incursions.
“Every teacher, every employee, every student can be a weak point,” said Soheil Katal, the district’s chief information officer.