It didn’t pay ransom, but 2021 cyberattack still cost Pierce County school district
Clover Park School District officials did not pay cyberhackers who infiltrated the district’s computer systems last year, but the attack still exacted a price.
The district cut ties with its cybersecurity firm, after paying $300,000 for 11 years of service, and undertook substantial measures to get its systems back online.
Even now, some district information remains on the dark web. All according to documents obtained by The News Tribune through a public records request.
Since the attack, the school district has ramped up software security, threat detection and response protection.
Due to recent U.S. sanctions and involvement in the Russian invasion of Ukraine, security experts expect an uptick in direct Russian cyberattacks. As the threat of attacks loom, the district’s data breach serves as a reminder to governments and school districts to be careful with their data.
Clover Park was hit by a Russian cyberhacking group known as Grief in May 2021. Grief is a ransomware group with ties to Russia-based Evil Corp, according to software experts.
Brett Callow works at Emsisoft, a cybersecurity firm that helps recover data stolen in ransomware attacks. He said no one program or tactic can guarantee protection.
“It’s really a matter of stacking layer upon layer of protection. Once they have access to the network, they can potentially simply switch off the antivirus or anti-malware protection,” Callow told The News Tribune.
The Clover Park attack
The News Tribune obtained district emails on the cyberattack that detail a rapid IT response and a concern over projected costs from a software company to resolve the data breach.
The head of the Information Technology Department, Craig Cook, emailed staff warning about the cyberattack on May 17. Early that morning, malware began circulating on about 800 computers, which had been previously protected by an anti-malware software called Sophos. There were no reports of student devices being affected a statement to the school board said.
In an update to the school board, Cook said 600 devices had been restored by May 20. District staff declined to be interviewed for this story but responded to The News Tribune’s emailed questions.
The district believes Grief hackers accessed the school’s system between May 12, 2021 and May 26, 2021. The district declined to share the nature of the attack, citing security concerns.
“Due to our preparedness, CPSD remained operational throughout the event,” district spokesperson Leanna Albrecht said in an email.
On May 19, the district realized its website — cloverpark.k12.wa.us — was compromised. The following day, the district decided to uninstall Sophos. Two hundred computers were still infected, according to emails. All district schools and office buildings were affected, the district told the school board.
The district announced its move to a different website on June 4. The district launched a temporary website at cpsd.cloverpark.k12.wa.us that was used throughout the summer.
Cook told staff in a district email the malware was called Dridex.
Data breaches can occur from an employee clicking a false link or downloading an attachment that can spread within the district system. Dridex is a type of “remote access” software that can be used to do various things, including deploy ransomware that encrypts the data, Callow said.
Grief uploaded school documents on the dark web. The dark web consists of hidden websites untraceable through a conventional search engine and uses encryption software to provide anonymity for users.
Screenshots of administrative-leave letters, student-performance results and a photo of children were released and listed as Clover Park School District data. The district’s data was listed alongside data from seven other entities, which also appear to have been hit by Grief, according to webpages viewed by The News Tribune.
In October, Grief also stole data from the National Rifle Association, holding it for ransom, according to the Associated Press. Cyberware experts say Grief is a rebranding of Evil Corp.
In 2019, the U.S. Treasury sanctioned Evil Corp and charged two members with criminal violations. The government blamed the hackers for the development and distribution of the Dridex malware.
“Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft,” a 2019 news release said. “This malicious software has caused millions of dollars of damage to U.S. and international financial institutions and their customers.”
The State Department is offering a reward up to $5 million for information leading to the capture or conviction of Evil Corp’s leader.
While a school district doesn’t seem necessarily like a profitable target, Callow said, cyber insurance plans can include data-ransom payments, and some schools opt to pay.
“Hackers are nothing but predictable. If they find a particular sector is profitable for them, they will keep on hacking it over and over again,” he said. “Many school districts have cyber-insurance. There is a school of thought which contends that insurance contributes to the problem because organizations are more inclined to pay and pay more if the money isn’t coming from their own pockets.”
Cyberattacks a growing concern
The district was one of dozens of organizations hit by cyberattacks in Washington last year. The state Attorney General’s Office tracks cyberattacks. From July 2020 to July 2021, organizations reported 280 data breaches to the state. That’s a 500 percent increase over the previous year’s 78.
More than 60 percent of the reported cyberattacks were considered ransomware breaches. Nearly three quarters of all breaches reported this year resulted in a Washingtonian’s name and date of birth being compromised, the state report said.
The office said three school districts were hit: the regional Puget Sound Education Service District, Clark County’s Evergreen Public Schools and Clover Park School District.
Governments and public agencies also were targets last year, including the Washington State Auditor’s Office and the Washington State Department of Labor & Industries, the City of Ellensburg and the City of Redmond.
The cost of fighting malware
Asked how much the ransom was and the reason not to pay it, Clover Park officials decline to answer because the attack on the district is part of an open FBI investigation.
The Seattle office of the FBI would not confirm nor deny an investigation is underway, citing Department of Justice policy.
“However, any person or entity who is the victim of a cyberattack should report it to us,” the office said.
When Cook reached out to Sophos for help the day the district discovered the breach, he was told too many computers had been affected for the software to run properly, an email said. The company told the school district the cost for “rapid response” service would be $744,000. After 11 years as customers, Cook was upset that no help was given or advice on malware removal.
Since 2010, the district has paid $313,217 to Sophos for ongoing security monitoring, Albrecht said.
“My entire team of 17 technicians has been working since 7 a.m. while removing the malware machine by machine, will probably be here all night. I am extremely disappointed and feel that the trust we placed in Sophos has been completely broken,” Cook told the software company.
Sophos told The News Tribune the company works closely with schools across the country to help secure networks and protect sensitive data. With Clover Park, Sophos cut its price to help.
“Recognizing the unique pressures that today’s schools face, Sophos offers a significant discount to school districts; in this situation, we understood time was of the essence given early indicators of attack, so we extended the discount even further in an effort to quickly deploy a dedicated incident response team to provide advanced security and 24/7 monitoring across more than 10,000 computers,” company spokesperson Lesley Sullivan said in an email.
Sophos later emailed Clover Park staff after Cook’s complaint, according to district emails. The software company offered their rapid response services at a discounted $372,000.
Rather than contract with Sophos for cleanup and recovery, the district used a forensic investigator approved by its insurance provider, Washington Schools Risk Management Pool. Clover Park is covered by the provider’s data privacy and cybersecurity insurance, Albrecht said.
“Sophos is a malware detection application and one measure of security. Insurance is a different measure of support, which doesn’t does not provide protection from malware,” Albrecht said.
The district reviewed potentially affected files to determine whether any sensitive information was accessed, Albrecht said. The investigation was concluded on Aug. 27 when the district sent letters to those “whose sensitive information was present on the potentially affected computer systems,” Albrecht told The News Tribune.
Clover Park did not pay the ransom and the system was restored, Albrecht said.
The data extracted remains available for anyone to download on the dark web, Callow said. Files titled staffing, capital projects and human resource records are available.
Even if an organization paid the ransom, Callow said there is no guarantee that data would stay off the web.
The best form of protection against a cyberattack is preemptive and all-encompassing.
“Once the attackers access the data, they are essentially the new admins,” Callow said. “Preventing these attacks really requires multiple layers of security.”
He recommends organizations train employees about phishing attempts, require two-factor authentication and that internet servers be protected with antivirus software.
“You really need to get all these things right,” Callow said.
Albrecht said Clover Park’s system now requires a multi-factor authentication. New software has been installed to scan emails for malicious attachments.
