Three days after a ransomware attack shut down Baltimore County’s school system, there is no indication the problem will be resolved quickly, and the timeline for resuming classes remains uncertain.
School officials issued a statement Friday saying the district continues to address the “catastrophic attack on our technology system” but gave no specifics on when online learning might be back up and running.
“Unfortunately, we are limited in what we can say due to the ongoing federal, state and local investigations,” the statement said, adding that updates will be provided at 4 p.m. each day.
The extensive ransomware attack closed school for the 115,000 students attending classes entirely online due to the coronavirus pandemic. Local officials have released little information about this week’s cyber attack, except to say that the county police department is working with the FBI and the state’s Emergency Management Agency. The county school system said the attack had affected many parts of its network.
Experts on ransomware attacks said while they do not have any specifics on the county’s situation, they believe it is likely the school district would be able to get online classes up and running in some form within a week or two, and perhaps as soon as a few days. Other network operations could take much longer.
The school system announced Saturday that schools will be closed Monday and Tuesday.
There are many options available that don’t require teachers to plug into the county system, said Avi Rubin, technical director of the Johns Hopkins University Information Security Institute and a computer science professor. When classes closed down in March for the coronavirus, he said, he was able to quickly put his class on a video conferencing platform.
“In a pinch there are enough tools out there. There are ways to move to teaching even if it isn’t ideally the way we would teach,” Rubin said.
Fred Smalkin Jr., a technology attorney who worked in Baltimore’s law department during the 2019 ransomware attack on city government, said his optimistic best guess is that students could be back in virtual school in about a week. His pessimistic guess is a few weeks.
In the meantime, county officials need to consider what to focus on first in terms of returning normal operations to the organization. In some cases, the primary functions of paying people and getting communications running are as important as retrieving information. Ransomware attacks typically block access to a computer system or files until money is paid.
“So really there are two things [officials] need to do in parallel. One is to figure out what happened and recover their systems,” Rubin said. “The second is to recover their online learning.”
Rubin and Smalkin said the pace of restoration will largely depend on whether the school district has backed up its data regularly and whether the backups are infected with the ransomware.
One of the first signs that something was wrong with the network appeared Tuesday night when the school board meeting’s live stream abruptly cut out. Then teachers, who were entering first-quarter grades, were met with blank screens or odd messages that included the word Ryuk, which is a ransomware tool used by hackers.
Cyber attackers have have recently hit numerous school districts around the country. In October, Fairfax County, Virginia, was a target. In that case, the attackers stole personal data and published it on the web, but did not interrupt the online classes, according to a report in The Washington Post.
Organizations frequently bring in outside counsel as well as private cybersecurity firms to respond in a cyberattack crisis, Smalkin said.
The security experts can perform a kind of criminal profiling of the hackers, he explained. Strange as it may sound, they can help determine the trustworthiness of the threat actors.
“You need to know these people and their reputation,” Smalkin said. “Have they followed through on their word before?”
The outside experts can also help assess whether the hackers have ties to terror organizations – because if the government pays the ransom, “you want to make sure you’re not funding terrorism inadvertently.”
In this type of crisis, an organization’s first priority is figuring out its communication plan, Smalkin said. School system employees have been told not to use their email accounts, school laptops or accounts.
“If you don’t have communications, you can’t do anything,” he said.
The school system has a range of legal issues to consider, from making payroll and meeting obligations to contractors to notifying people if their data has been accessed. School officials have not said whether students’ or teachers’ personal information was stolen in the incident.
Cindy Sexton, president of the Teachers Association of Baltimore County, said teachers were paid this week on schedule.
Teachers are concerned about connecting with their students and whether they will be able to retrieve lessons and grades.
“It is really stressful for everybody involved,” Sexton said.
State auditors found “significant risks” within the county schools’ computer network, according to a report released Tuesday.
The network was not adequately secured, and sensitive personal information was not properly safeguarded, among other issues, the Office of Legislative Audits found.
Rubin, who reviewed the audit, said even if the attack had not happened, the vulnerabilities the audit described should have raised alarms.
“It is possible that a well-managed system could have still been hit, but when you look at a system that was poorly managed, it makes it more likely that this could have happened and been successful,” Rubin said. “They were not practicing good security.”
In particular, he said, systems have to be updated and “patched” or they are more vulnerable to attack.
While plans for classes in the county remain uncertain, school will be back to normal on Monday for Baltimore City students.
The day of the attack, surrounding school systems blocked emails from the county schools, and the city schools directed students using their personal computers to connect to online classes to leave school for the day. But Friday, city school officials said those students can rejoin classes Monday.
Given what was happening in the county, said Andre Riley, a spokesman for the school system, “we just wanted to be cautious” and make sure that their network was secure by limited the access points.