Baltimore County public school classes to resume Wednesday following ransomware attack

Baltimore County public schools will restore online classes for all students Wednesday after an extensive ransomware attack paralyzed the school system’s network last week.

School leaders announced Monday evening that students and staff must perform a series of “confidence checks” on some system-issued devices. Students who need a new device or assistance are being asked to visit their nearest Baltimore County public high school between 1 p.m. and 5 p.m. Tuesday.


School officials have said students with county-issued Chromebooks are free to use them because they weren’t infected. But many high school students, and some middle schoolers, have other devices that use Windows and need to be checked before they can be used.

The return to classes comes as the answers to many big questions remain unknown. Federal, state and local investigators have not identified the group behind the ransomware, nor their demands.


Investigators have released few details about the ransomware attack, including whether sensitive personal information, student transcripts and individualized education plans have been stolen or lost completely. School administrators have said the attack affected many parts of its network.

State law requires a government agency to inform anyone whose information has been compromised in a security breach, but only “as soon as reasonably practicable after an investigation” and after law enforcement officials decided a criminal investigation won’t be jeopardized, said Raquel Coombes, a spokeswoman for the Maryland Attorney General’s Office.

Despite what’s still not known publicly about the attack, Baltimore County teachers union president Cindy Sexton said teachers “need to be teaching our students” and she believes the county will provide more clear information about access to the curriculum.

“I know educators are very concerned about what they are going to teach because they don’t know if they have access to their lessons,” Sexton said.

Elementary school teachers went to schools Monday to have their devices checked for malware, an operation that Sexton said went smoothly. She said the county’s directions for how to check laptops and computers was easy to follow and she believed most students could do it.

Parent Emory Young of Reisterstown said his two high school-aged children have been reading and sleeping late during the three-day hiatus in learning.

“I think they are happy to have the break,” Young said.

Young would have liked more information about what is going on behind the scenes to resolve the ransomware attack, but he said he understands school officials may be limited about what they say because of the criminal investigation.


The Baltimore County government has offered the school system help, including staff support from its emergency operations team and the county law and information technology offices.

County Executive Johnny Olszewski Jr. is urging the school system to make as much information as possible available to the public to keep the community updated, his spokesman Sean Naron said.

Councilman David Marks said he and others on the County Council are pushing for more answers. He said he’s been getting calls from concerned parents and school employees.

“The County Council has a fiduciary responsibility to the taxpayers,” said Marks, a Perry Hall Republican. “Ultimately, we are the budget authority and we deserve all the information so we can adequately pass it along to our constituents.”

One of the first signs that something was wrong with the school system network appeared Tuesday night when the school board meeting’s live stream abruptly cut out. Then teachers, who were entering first-quarter grades, were met with blank screens or odd messages that included the word Ryuk, which is a ransomware tool used by hackers.

Baltimore County’s attack is more severe than those against other school systems, said Doug Levin, who founded K12 Cybersecurity Resource Center.


“It is only since last year that I have been aware of any school districts having to close, having to actually stop teaching and learning,” he said.

Levin, who tracks school district ransomware attacks and security breaches, said they grew in frequency in 2019. In 2020, the attacks continued until the pandemic and then slowed until the start of the current school year. Clark County’s schools near Los Vegas, and Fairfax County were both hit by attacks recently and personal data was stolen, but their school system’s networks were not shut down.

Because the scope of the attack seems severe, he said the attackers could have stolen or encrypted student transcripts, payroll information, pension information, teacher lesson plans and budget information, Levin said.

If the school district has backed up its information in a secure location, then it may have access to all of the historical information, he said.

The Evening Sun


Get your evening news in your e-mail inbox. Get all the top news and sports from the

However, Levin and several other experts said if the back-up information is compromised, the school district will have little choice but to pay the ransom.

Experts said that the criminals who have attacked the Baltimore County school system likely were rummaging around the network for weeks or months gathering information before they encrypted the files and shut down the network.


In some cases, Levin said, the hackers will attempt to stay long enough so they can corrupt all of the backup files before they have been saved.

Even if the backup files are safe, the process of getting back to normal could be weeks or months, most experts said.

“I would be shocked if the extortion demand was lower than the six figures” Levin said. “I would not be surprised if it is a million dollars or more.”

Usually, in these cases, school systems will have an insurance policy and the insurance company, along with law enforcement, will negotiate with the criminals. Often, the insurance company will decide it is cheaper to pay the ransom than for the school district to reconstruct its network and files, he said.

In the case of the ransomware attack against Baltimore City last year, the city stood firm against paying attackers, but it paid more to fix the problem than the ransom would have cost.