Baltimore County’s school system was shut down by a ransomware attack that hit all its network systems and closed school for 115,000 students Wednesday.
While little has been made public about the extent of the attack, school officials said at an afternoon news conference outside the county school headquarters in Towson that they are working closely with state and federal law enforcement and the Maryland Emergency Management Agency to investigate.
The county police also have been in contact with the FBI Baltimore field office. Baltimore County Police Chief Melissa Hyatt declined to provide any specifics of the criminal probe.
“We are in the preliminary steps of that investigation,” Hyatt said.
Ransomware attacks typically block access to a computer system or files until money is paid.
Hyatt did not say whether the authorities have communicated with the hackers and the school system said it has had no direct or indirect contact with the hackers.
Superintendent Darryl Williams said he has no timeline for when school will resume. School officials said the network issue has affected the district’s website, email system and grading system. Until the problem is resolved, students will have no school.
The attack comes as the school system continues to operate online only, with all in-person classes delayed, as a result of the coronavirus pandemic.
“This caused systemic interruption to our network information systems,” said Mychael Dickerson, the school system’s chief of staff. “Everything was impacted.”
“It’s extensive enough that we made this decision,” he said of needing to close the schools. “We knew it wouldn’t be a quick fix.”
The school system stopped communicating to staff and parents by email and began using Twitter and robocalls to inform its community about the attack. The district is advising all students, parents and teachers not to turn on their school laptops, and some students have taken any county applications off their phones as a precaution.
Cybersecurity experts said how quickly the system is able to recover will depend in part on whether the ransomware has infected systems that backup files and data. If not, they said, then the school system can wipe out the infected data and use the backup. The problem will be much more complicated if both have been hit.
“This is becoming a major problem for school systems around the country,” said Dan Domenech, executive director of the American Association of School Administrators.
Most recently, Fairfax County and Miami-Dade County school systems have been attacked. The Wall Street Journal recently reported that it had documented more than three dozen attacks on school systems since the pandemic began. In some cases, cyber pirates have posted the personal data of students on the web.
“Districts have paid millions of dollars in ransom to get the systems back,” Domenech said.
Baltimore County’s network is the conduit for grades, lesson plans, and communication between teachers and students and parents. Unlike some other school systems in the region, Baltimore County began giving students devices more than a decade ago.
Cindy Sexton, the president of the teachers union, said teachers are worried they have lost important work, including lesson plans.
It’s unclear when the attack started, but the school board meeting video stream abruptly cut out late Tuesday evening. And according to social media accounts, school system teachers began noticing problems about 11:30 p.m. as they were entering grades.
Some teachers said on social media that their files have a .ryuk extension on them. Ryuk is a type of ransomware that has been used against hospitals, local governments and others. The school system and county police did not provide any details on the nature of the ransomware attack.
Students have many concerns including the security of their personal information and what will happen with their coursework, said Josh Muhumuza, a Dundalk High School senior who serves as the student member of the Board of Education. He said he did two Instagram Live sessions Wednesday to discuss the cyber attack with students.
“It is a sad, sad day that anyone would ever attack a school system,” said Muhumuza, adding that many students rely on their school-issued devices that they’ve now been told not to use. “Whoever made this attack should feel ashamed.”
For parents, there are “so many unknown questions at this point,” said Cheryl Herb, who heads the PTA at Bedford Elementary in Pikesville. She also has children that attend other county schools.
“Do they have access to our kids’ personal information?” she said. “Everything is online.”
Herb said that before classes were scheduled to start Wednesday, the Bedford principal notified families via text of network problems and told them not to turn on their computers — but many parents at other schools were completely unaware of what was happening because no one notified them until later.
She said she hopes there can be open communication with families going forward.
The attack comes during the beginning of a four-day holiday break for students, perhaps on purpose, one expert said.
“It seems like this was well thought out, coming the day before Thanksgiving — a pretty devastating attack to take down the whole system,” said Avi Rubin, technical director of the Johns Hopkins University Information Security Institute and a computer science professor there.
Rubin said once an attack is made public it is unlikely that the school system will pay those who have taken its network down, and he argued that to do so would only incentivize the “bad guys” and provide more funds for them to continue their attacks elsewhere.
Brett Callow, a threat analyst who works with cybersecurity tools, said a ransomware attack normally begins weeks or sometimes months before it is evident, penetrating deep into the network.
If Ryuk was used, Callow said, several cyber attack groups use that particular ransomware, but one is known for targeting public entities. While some hackers taunt their victims, this group is generally businesslike, he said.
“Some of these groups absolutely like to showboat. Ryuk tends to be all business,” he said. “They just like to get the job done. Ryuk is almost robotic. They display very little emotion at any point.”
Dickerson said the county could not discuss whether the attacker was Ryuk because of the ongoing law enforcement investigation.
Ransoms are often customized to the organization that is being attacked. The hackers will have looked for insurance and other financial information once they break into the network. It is typically demanded to be paid in Bitcoin, the untraceable digital currency.
In this case, much is publicly known about the school system’s $1.5 billion budget.
If the network’s back-up systems have been compromised, then the school system will have to decide whether to pay the ransom or lose its data, Callow said.
“The best advice is never to pay…,” he said. “From a more realistic perspective, organizations have to balance the possibility of total data loss with paying the criminals to restore the data. It is not an easy or straightforward problem.”
Baltimore City faced that dilemma a little more than a year ago. A ransomware attack crippled Baltimore government for months starting in May 2019, disrupting everything from water billing to real estate transactions. In that attack, hackers accessed the city’s systems, encrypted files using ransomware and then demanded payment to unlock the files. The city refused to pay. The city has estimated the attack cost more than $18 million, which included lost revenues and the price tag to restore the systems.
“I don’t see an easy outcome to this. It is sort of like the perfect storm,” said Rick Forno, a University of Maryland, Baltimore County professor who is writing a book on municipal government cybersecurity.
He said that not only is this coming on a holiday weekend in a pandemic, but some of the repair work will have to be done following social distancing protocols.
In a worst-case scenario, he imagined parents lining up outside of schools to have their laptops checked. Checking back-up systems for ransomware is not an easy or quick process, he said.
“It is not going to be an overnight or smooth process,” Forno said. “It is going to be expensive.”
Baltimore County government systems do not appear to have been compromised, although officials are inspecting the network and all devices “out of an abundance of caution,” county officials said in a statement.
Baltimore Sun reporter Christine Condon contributed to this article.