‘Business as usual’: Despite some problems, Baltimore County schools resume online lessons after ransomware attack

Baltimore County school officials managed to get students back to online lessons Wednesday after a “catastrophic’ ransomware attack took down classes a week ago.

Maybe it was just the year, but students and teachers seemed to take in stride the effort required to get back online.


Some teachers and students stood in lines outside high schools to get “confidence checks” on laptops to ensure they weren’t infected with malware on Monday and Tuesday. And when families met roadblocks signing on to lessons with teachers on Wednesday, parents crowd-sourced the answers to common problems on Facebook.

“Despite a few hiccups everything has gone relatively smoothly,” said Charles Herndon, a school system spokesman. “We are hearing good reports from the teachers and principals.”


School officials had created a new way for students and teachers to log on to its learning management system, Schoology, and Google platforms. Because the programs are cloud based, the district is hoping lesson plans and the grades were available for students and teachers. Wednesday teachers were expected to reconnect with students after the attack and on Thursday they will begin lessons.

Crystal Shelley, the mother of three Westchester Elementary students, said everyone was able to log on Wednesday morning as usual with a link supplied to them by their teachers.

“It felt pretty normal,” Shelley said. Not all of the programs students are used to using were accessible, she said, including her second graders math lessons.

Teachers who saved their lessons in the cloud have their files, said Dumbarton Middle School teacher Jill Cox.

“From my end everything was business as usual.” The seventh grade language arts teacher said her colleagues focused on getting back in touch with their students. “I am glad that BCPS was able to get us up and running. I think students thrive on the interaction.” Hackers weren’t able to take away that important connection, she said.

The coronavirus pandemic that has halted in-person lessons for months has forced everyone to adapt, and Cox said that has helped with the current crisis.

“If I saw pigs fly outside my window I don’t think I would be surprised. It just yet again it shows how amazing all educators are,” she said. Three times this year, Cox said, teachers have had to suddenly change course: in March when schools were shuttered, in August when it was decided everyone would teach online and on Dec. 2 after the district was hacked.

“You tell us to pivot and we do it. We get it done,” Cox said.


The district’s IT officials “were pretty confident that student devices would not have been impacted,” Herndon said, and that has turned out to be true. Students and staff were given instructions on how to check devices. If they saw signs of malware, they were asked to come to a school to get another laptop.

“That went very well. It was a very small number that had any problems,” Herndon said.

The Evening Sun


Get your evening news in your e-mail inbox. Get all the top news and sports from the

In its daily update, district officials said beginning Thursday students and staff will be able to contact a help desk and get their devices checked at a high school. The district also said that student devices were not affected by the malware and that school websites are still functioning.

But the county is only beginning to deal with the ransomware attack that has apparently frozen its network. School officials won’t say what is going on behind the scenes, but they have called in law enforcement, including the FBI which has expertise in handling cyber crimes.

Cyber security experts said it is usual in these types of attacks for the insurance company representing the county schools and law enforcement to be working together on trying to understand the extent of the damage to the system, and what data has been encrypted or damaged.

At the top of concerns is whether personal information or data about students and employees has been stolen from the network. In two recent national cases, large school districts have had student and employee information posted online.


Brett Callow, a cyber security threat analyst, said he had checked Wednesday morning for the school system’s data and hadn’t yet seen it posted by the criminals. The public shouldn’t relax yet, however.

“I wouldn’t expect there to be. We are in the early days,” Callow said. Many negotiations with attackers will go on for weeks before they are resolved, he said. The organization that has been attacked will spend time exploring its network and data files to investigate what has been encrypted or stolen and then make a decision about whether to pay.

Hackers sometimes use the stolen data to threaten the organization to pay up. But if hackers begin to publish that data, Callow said, the attacker can lose credibility with the organization. How much data has been stolen and how sensitive it is could determine whether the county school district pays a ransom, he said. Federal, state and local investigators have not identified the group behind the ransomware, their demands, nor if the district is considering paying a ransom.