Ransomware Hits Baltimore County Schools Thanksgiving Eve

• By Dian Schaffhauser
• 12/01/20

Baltimore County Public School students returned to class via remote instruction, while the district continued dealing with a ransomware attack that struck the day before Thanksgiving. Students lost two full days of instruction after the malware hit the district's website, email and learning system and forced school offices to close early on Wednesday. The district serves 115,000 students.

According to local reporting, school officials learned about the malware on Wednesday morning, after it was discovered late Tuesday night. On Nov. 25, the district used its social media channels to confirm the security event. "We were the victim of a Ransomeware [sic] attack that caused systemic interruption to network information systems," officials stated on Twitter. "Our BCPS technology team is working to address the situation & we will continue to provide updates as available. For now, please don't use BCPS device."

The school system announced that district-issued Chromebooks and Google accounts were safe to use, but Windows-based devices weren't. By Monday, the district had provided a website page listing "steps to perform a confidence check" on Windows computing devices. Users with infected machines--both students and staff--were told to hand in their school devices and get replacements. The school also provided a link to a video showing how to restore users' OneDrives to a previous state from a week earlier.

Just days before the attack was discovered, the state had issued a financial audit finding that the computer network for the school system failed to safeguard sensitive personal information and posed other serious risks. As the audit stated, "Significant risks existed within BCPS' computer network. For example, monitoring of security activities over critical systems was not sufficient and its computer network was not properly secured. In this regard, publicly accessible servers were located in the BCPS internal network rather than being isolated in a separate protected network zone to minimize security risks." The audit found that 26 "publicly accessible" servers were located within the internal network and that "network resources were not secured against improper access from students using wireless connections and high school computer labs."

However, a cybersecurity expert reported that the school system had been aware since February of security problems in its internal network and firewall configurations. "I personally informed the school system of an exposed domain controller running SMB v1 in May 2019, which was one of dozens of servers that appeared to be running that vulnerable version of the Windows network file sharing protocol," said Sean Gallagher, senior threat researcher at Sophos, in a statement. "A county spokesperson said that he would pass the information along to the IT department, but I never heard back from them."

A teacher whose own machine was infected told a local reporter that people who infect school systems with ransomware during COVID "should really have their own level of hell devoted to them."

Gallagher suggested that K-12 school systems were especially vulnerable currently to ransomware "because of budget and talent constraints to their IT operations." As the security expert noted, "The stress of having to support remote learning for students and faculty since March has not made things any easier, and has dramatically increased the attack surface of most schools' networks. It will require thoughtful restructuring of how districts' networks are configured to prevent further attacks such as these, and a defense-in-depth approach that includes every device students and teachers connect to the network with."

District officials haven't stated whether they intend to pay the ransom. However, they have been in contact with local and federal law enforcement, as well as the state's emergency management agency, for help with the criminal investigation.