School officials faced a sticky wicket over the past week when deciding whether to pay the ransom sought by the criminal cyber actors.
While the school system will eventually be able to rebuild its servers and network on its own, not paying the ransom could still come with a cost.
Ransomware hackers usually threaten to publicly disclose the data they’ve stolen if their victim doesn’t pay up by the deadline. To prove their point, they often post samples of the data they’ve stolen as a warning of what’s to come.
The hackers fired a salvo Monday by doing just that: a list of about two dozen Haywood County substitute teachers’ names and personal phone numbers were published on a data leak site.
“This is the equivalent of a kidnapper sending a pinky finger,” said Brett Callow, a threat analyst with Emsisoft cyber security firm.
Haywood County Schools leaders issued an announcement late Tuesday confirming a data breach in connection with the cyber attack.
“We have now confirmed a data breach occurred. We are taking every possible step to eliminate any potential harm to staff, students and affiliates,” Superintendent Dr. Bill Nolte said.
While Callow has no knowledge of the attack against Haywood County Schools, he shed light on how these things usually play out.
The first leak is usually benign, intended to show the hackers have the goods they claim to have. A full data dump comes later as a deterrent to their future victims.
“You don’t have a successful business model if you let your victims go,” Callow said.
The ransomware actor that targeted the school system calls itself SunCrypt. Its data leak site on the dark web lists Haywood County Schools as one of several recent targets, which it refers to as “clients.”
“Represented here companies don’t wish to cooperate with us,” the SunCrypt data leak site states. “Watch for their databases and private papers here.”
Exactly what data the cyber criminals got their hands on is not yet known, however.
“At this point, the forensic work has not determined the extent of specific data that was stolen. The completion of forensic work often takes weeks,” Nolte said. “We ask staff, students and parents to monitor for any suspicious activity.”
The school system, aided by its cyber security insurance company, will provide support for those who may have had confidential information stolen.
“When the forensic work is complete, we will put appropriate privacy protection measures in place for those among us who were impacted,” Nolte said.
The school system has cyber security insurance and would only be on the hook for its deductible — with insurance picking up the tab for the remainder of the sum. School systems and local governments with such policies typically fork over a deductible of around $10,000 should they choose to pay the ransom.
Akin to not negotiating with terrorists, however, school leaders refused to pay, following the advice of state and federal law enforcement working the case who urge victims not to give in as it would only reward the ransomware hackers.
The Haywood County School Board met behind closed doors for over 90 minutes Monday evening on the cyber attack. The briefing brought school board members up-to-speed on details related to the criminal investigation that can’t be disclosed publicly.
The school board convened again for an emergency meeting Tuesday on a timely development related to the cyber attack, but it was also confidential.
Haywood County Schools joins a growing list of local government entities being hit by ransomware attacks. Last week, the city of Rocky Mount, was hit by a similar ransomware attack, as well as school systems in California and Arkansas.
Haywood County Schools has been highly transparent about the ransomware attack, sharing as much information as it legally can as it becomes known.
“As a school system that works to be transparent, it can be difficult to share disturbing news with our students, staff, parents, and community,” Nolte said. “In announcing the ransomware attack last Monday, we wanted everyone to understand a data breech was possible.”
That is not always the case for some ransomware victims. A school system in Mansfield, Ohio, was outed this week by local media for covering up a ransomware attack that occurred months ago but was kept secret from parents and employees.