Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:30 PM
Connect Directly

Baltimore County Public Schools Closed Due to Ransomware Attack

The incident struck the day before Thanksgiving and interfered with online classes for some 115,000 students, officials report.

Schools in the Baltimore County Public Schools (BCPS) system are closed Nov. 30 and Dec. 1 as officials investigate and remediate a ransomware attack that hit its network systems the day before Thanksgiving, pausing classes for some 115,000 students attending school online due to the pandemic.

Related Content:

How Ransomware Defense Is Evolving With Ransomware Attacks

The Changing Face of Threat Intelligence

New on The Edge: 5 Signs Someone Might be Taking Advantage of Your Security Goodness

Officials have not shared many details about how the attack started; however, a Baltimore Sun report indicates a school board meeting video stream was cut short Tuesday evening. Social media posts show teachers began to notice problems while entering grades later that night.

Some teachers said their files have a .ryuk extension on them, the report states, indicating Ryuk ransomware may be involved. Officials have not confirmed the presence of Ryuk, a type of ransomware that has grown prevalent this year and counts hospitals, local governments, and oil and gas facilities among its targets. There has been no confirmation of a ransom demand.

An investigation is underway. BCPS officials are reportedly working with state and federal law enforcement, as well as the Maryland Emergency Management Agency, to address the incident. County police have also communicated with the FBI Baltimore field office.

In the meantime, classes are on hold as the attack reportedly affected the BCPS website, email system, and grading system, officials say. Offices will stay open and staff will receive updates.

"Our focus today and for Monday and Tuesday is identifying and addressing student and staff device needs so that instruction can continue," BCPS officials wrote in a Nov. 29 tweet.

BCPS-issued Chromebooks were not affected in the attack, the officials report; students and staff may safely use these devices and Google accounts. However, officials request they do not use BCPS-issued Windows-based devices (HP Revolves or Probooks) until further notice.

Security Gaps Reported Days Before Attack
Days before the incident, Maryland state auditors found many security holes in the Baltimore County Public Schools' computer network.

The Office of Legislative Audits reports the BCPS internal network had 26 publicly accessible servers and intrusion detection prevention system coverage "did not exist" for untrusted encrypted traffic entering the network. Further, auditors say, BCPS network resources were not protected from improper access from students using wireless and high school computer labs.

"These publicly accessible servers, if compromised, could expose the internal network to attack from external sources," the audit report states. Auditors advise the school system to relocate all publicly accessible servers to a separate protected network zone to limit security exposures.

While it's unclear whether these weaknesses are connected to this incident, it's clear how the audit's findings could put the school system at risk. Several problems identified in the report could be used for initial compromise or for uninterrupted communication after the attacker breaks in.

"The audit found that the school system had no way of detecting or logging the kind of communications typically associated with ransomware [command-and-control] systems, and that servers inside the network had public Internet addresses with insufficient firewall protection," says Sean Gallagher, senior threat researcher with Sophos. These issues could have enabled an attacker to establish a foothold and send commands to spread across the network.

Ransomware Operators Take Aim at Schools
This attack is one of many targeting educational institutions this year as cybercriminals take advantage of the broad shift to remote learning. Millions of students and teachers are logging on to school networks to take classes and complete assignments, and many of them use devices and systems riddled with vulnerabilities that could create an ideal attack vector.

In the past 30 days, the education sector was hit with 62.9% of all reported enterprise malware encounters, Microsoft data shows. This puts education far ahead of the second most popular target industry, business and professional services (9.31%).

Back in April, the FBI's Internet Crime Complaint Center (IC3) warned online education and remote work platforms of an increase in cyberattacks driven by a dependence on virtual tools linked to the COVID-19 pandemic. Over the summer, Louisiana governor John Bel Edwards declared a state of emergency after a series of cyberattacks against school districts in the state. Alabama's Houston County was hit in August; Virginia's Fairfax County was attacked in September.

Schools are especially vulnerable because, in addition to this expanded attack surface, their IT operations are usually underfunded, Gallagher points out. While the lack of resources leaves them exposed, many school districts have cyber insurance that will pay the ransom, increasing the likelihood of an incident.

"The attackers are not necessarily targeting the organizations based on their business model, but based on their vulnerability," he adds.

Security experts believe we'll continue to see ransomware operators target schools continue with remote learning, a shift that has made schools around the county "an even bigger target of opportunity than before as the stakes are higher and worth more money," says LogRhythm CSO James Carder. "If the technology is taken down, the business is completely stopped."

Carder strongly advises school districts to adopt a proactive approach to cybersecurity and enable network infrastructure to block malicious access attempts. Security pros also suggest creating a crisis plan and integrating cybersecurity and data protection protocols as a way to simplify the process of detecting attacks and recovering systems and data if they're infected.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177