Baltimore County schools suffered a ransomware attack. Here’s what you need to know.

Thank you for supporting our journalism. This article is available exclusively for our subscribers, who help fund our work at The Baltimore Sun.

The day before Thanksgiving, the Baltimore County Public Schools system was shut down by a ransomware attack that hit all its network systems.

The cyberattack brought classes to a halt for a few days for the 115,000 students attending classes entirely online due to the coronavirus pandemic.


School officials have described it as a “catastrophic attack on our technology system.”

Here’s what you need to know:


How long are schools closed for?

Classes were canceled Monday and Tuesday but are set to resume Wednesday.

I have a district-issued computer. Is it OK to use?

Chromebooks are safe, but the district said Windows-based devices should still not be used as it further investigates the attack.

School leaders announced Monday night that students and staff must perform a series of “confidence checks” on some system-issued devices. Students who need a new device or assistance are being asked to visit their nearest Baltimore County public high school Tuesday from 1 p.m. to 5 p.m.

Administrators asked select groups of teachers and staff on Monday to bring system-issued devices to schools to perform “confidence checks.”

What actually happened?

Officials have been pretty tight-lipped about what happened, saying the investigation is ongoing and that they were working closely with state and federal law enforcement and the Maryland Emergency Management Agency to investigate.

The county police also have been in contact with the FBI Baltimore field office. Baltimore County Police Chief Melissa Hyatt declined to provide any specifics of the criminal probe.


“We are in the preliminary steps of that investigation,” Hyatt said.

It’s unclear when the attack started, but the school board meeting video stream abruptly cut out late last Tuesday. And according to social media accounts, school system teachers began noticing problems about 11:30 p.m. as they were entering grades.

What is a ransomware attack?

It’s an attack that typically blocks access to a computer system or files until money is paid.

Authorities and local officials have not indicated whether or not they have had direct or indirect contact with the hackers.

What kind of ransomware attack was it?

Some teachers said on social media that their files have a .ryuk extension on them. Ryuk is a type of ransomware that has been used against hospitals, local governments and others. The school system and county police did not provide any details on the nature of the ransomware attack.


Officials have not said whether it is a Ryuk attack or not.

Was the school system vulnerable to an attack like this?

A state audit released a day before the attack found “significant risks” within the system’s computer network.

The network was not adequately secured, and sensitive personal information was not properly safeguarded, among other problems, the Office of Legislative Audits found.

The Morning Sun


Get your morning news in your e-mail inbox. Get all the top news and sports from the

It’s unclear what role the weaknesses described in the audit may have played in the ransomware incident as officials have declined to discuss specifics.

Was any personal student data released or compromised during the attack?

It’s unclear. School officials haven’t released any specifics about what information, if any, the attack was able to take hold of.

Are attacks like this common in school districts?

Cyberattackers have recently hit numerous school districts around the country. In October, Fairfax County, Virginia, was a target. In that case, the attackers stole personal data and published it on the web, but did not interrupt the online classes, according to a report in The Washington Post.


Can’t the school system just pay the ransom so classes can resume?

It’s not that simple.

Cybersecurity experts like Avi Rubin said once an attack is made public, it’s unlikely the school system would pay.

The technical director of the Johns Hopkins University Information Security Institute and a computer science professor said it would only incentivize the “bad guys” and provide more funds for them to continue their attacks elsewhere.

Baltimore Sun reporters Liz Bowie, Alison Knezevich and Lillian Reed contributed to this article.