Ransomware Hits Baltimore County Schools Thanksgiving Eve
- By Dian Schaffhauser
County Public School
students returned to class via remote instruction,
while the district continued dealing with a ransomware attack that
struck the day before Thanksgiving. Students lost two full days of
instruction after the malware hit the district's website, email and
learning system and forced school offices to close early on
Wednesday. The district serves 115,000 students.
to local reporting, school officials learned about the malware on
Wednesday morning, after it was discovered late Tuesday night. On
Nov. 25, the district used its social media channels to confirm the
security event. "We were the victim of a Ransomeware [sic]
attack that caused systemic interruption to network information
systems," officials stated on Twitter.
"Our BCPS technology team is working to address the situation &
we will continue to provide updates as available. For now, please
don't use BCPS device."
school system announced
that district-issued Chromebooks and Google accounts were safe to
use, but Windows-based devices weren't. By Monday, the district had
provided a website page listing "steps
to perform a confidence check"
on Windows computing devices. Users with infected machines--both
students and staff--were told to hand in their school devices and get
replacements. The school also provided a link to a video
showing how to restore users' OneDrives to a previous state from a
days before the attack was discovered, the state had issued a
finding that the computer network for the school system failed to
safeguard sensitive personal information and posed other serious
risks. As the audit stated, "Significant risks existed within
BCPS' computer network. For example, monitoring of security
activities over critical systems was not sufficient and its computer
network was not properly secured. In this regard, publicly accessible
servers were located in the BCPS internal network rather than being
isolated in a separate protected network zone to minimize security
risks." The audit found that 26 "publicly accessible"
servers were located within the internal network and that "network
resources were not secured against improper access from students
using wireless connections and high school computer labs."
a cybersecurity expert reported that the school system had been aware
since February of security problems in its internal network and
firewall configurations. "I personally informed the school
system of an exposed domain controller running SMB v1 in May 2019,
which was one of dozens of servers that appeared to be running that
vulnerable version of the Windows network file sharing protocol,"
said Sean Gallagher, senior threat researcher at Sophos,
in a statement. "A county spokesperson said that he would pass
the information along to the IT department, but I never heard back
teacher whose own machine was infected told a local
that people who infect school systems with ransomware during COVID
"should really have their own level of hell devoted to them."
suggested that K-12 school systems were especially vulnerable
currently to ransomware "because of budget and talent
constraints to their IT operations." As the security expert
noted, "The stress of having to support remote learning for
students and faculty since March has not made things any easier, and
has dramatically increased the attack surface of most schools'
networks. It will require thoughtful restructuring of how districts'
networks are configured to prevent further attacks such as these, and
a defense-in-depth approach that includes every device students and
teachers connect to the network with."
officials haven't stated whether they intend to pay the ransom.
However, they have been in contact with local and federal law
enforcement, as well as the state's emergency management agency, for
help with the criminal investigation.
Dian Schaffhauser is a senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning. She can be reached at [email protected] or on Twitter @schaffhauser.