Lumberhacked! The unfolding tale of a computer malware attack
A particularly virulent computer malware (malicious software) virus crippled the Cloquet School District last week, spreading from computer to computer, locking up access to network servers and turning documents into gibberish before offering “help” in the form of a request for payment to provide a “key” to unlock the files.
Superintendent Ken Scarbrough said the price some computers users saw pop up on their screens last week was equivalent to $6,000. However, even if the district had paid the “ransom” to get its files back, there’s no guarantee the encryption key would have worked.
Instead, schoolkids got Thursday, March 17, off as the district declared its first-ever (and possibly the first in the state) malware day, on the heels of a more traditional snow day the day before.
The extra day out of school gave school district technology staff much needed time to recover from the malware — a variant of the CryptoLocker ransomware — which infected some of the district's servers and many of its 600-plus computers.
During that day off, the hallways at Cloquet Middle School were quiet and dark, except for a handful of staff members who pushed wheeled carts from room to room, stacking computers on top of each other before taking them to the computer lab to be “reimaged.” In layman's terms, reimaging is like taking a computer back to factory settings but also includes the school district software such as Schoology that the district uses. Reimaging the computers also meant that any information teachers or other staff only had stored on their computer desktop was likely lost to the virus.
Exactly the same thing was happening at each of the other four school buildings in the district Thursday (the high school, Washington and Churchill elementaries, and the alternative school at Garfield). The infected servers are also being rebuilt.
Later that day, Scarbrough said the school district was making progress and promised there would be school the next day, which there was. However, he had no regrets about calling school off Thursday, he said. Having that extra day off — more importantly, not having students and staff trying to use computers and iPads and district bandwidth — was invaluable to the technicians who are working to restore the school district's computer system, he said.
It was definitely the worst attack Yvette Maijala, technology coordinator for the school district, has seen in her 20 years on the job. She described the recovery efforts of technology staff as being like “triage,” explaining how the ransomware worked its way through the district’s computers.
“[The malware] has hooks. It did initially start with one log-in and one thing, and then it went out and found every other system that was turned on and hooked in,” she said, adding that they believe the virus probably came in through someone’s email over spring break the week before, but they didn’t know specifically how or where it started.
“Once it destroys or corrupts everything it can reach then it destroys itself,” she added. “But it’s difficult to tell if a system is completely corrupted so that’s why we’re taking this stance (of reimaging affected computers and servers).”
Maijala said outside systems including gmail, Schoology and PayPams (the online school lunch payment system) were not affected by the virus. Backed up files weren’t affected. Google drive was fine. All sensitive student information was also safely stored off the local network and was not affected. However, the system that all the schools use on site for lunchroom payments was compromised, as was the program that monitors the district's HVAC (heating, ventilating and air conditioning) systems. The schools still have heat, Scarbrough noted, but have lost that monitoring ability until the program is restored.
"It wasn't that information was taken, or used for financial reasons," Maijala said. "Rather the malware corrupted files so they aren't usable."
Cloquet Middle School Principal Tom Brenner said he was in his office Friday, March 11, during spring break, when he realized something was wrong.
“Every time I tried to open something, I got all kinds of pop-up (messages),” Brenner said. “Things like ‘this isn’t working,’ or ‘can’t connect to server’ … I also started to lose some of the current projects. They started to disappear. I could see them, but I couldn’t get to them.”
Just like the attack spread throughout the system over a matter of days or even longer, recovering from the attack is also taking time. On the evening of Tuesday, March 22, Maijala said she and other staff and service providers were about 75 percent done with classroom computers. They were making slower progress with getting systems (such as food service and the media centers) reconfigured because they involve more work with different individual vendors.
Brenner said Tuesday that he has access to most of his files now because he had backed them up elsewhere, but he did lose “bits and pieces” that he didn’t back up.
The cyber attack also meant teachers had to go “old school” with lesson plans last week. The smart boards didn’t work because the computers that run them weren’t working. Online lesson plans and presentations weren’t available.
That meant dry-erase markers, chalk and paper, lots of paper.
Brenner said there was some panic over lost files, but he didn’t see any teachers panicking about having to adapt their teaching style.
“That’s what they do,” he said. “It happens. The power goes out, or you can’t reach the network. They know how to adapt. They’ve been doing it a long time.”
In the lunchroom, workers went back to writing down charges by hand when the system was down. Brenner said the office was prepared with paper copies of attendance and class schedules because of evacuation plans that require copies of both.
He noted that he was really proud of his staff after taking a walk through the halls on Friday.
“It didn’t turn into a ‘let’s watch a movie’ day,” he said. “People were teaching. Kids were learning. It was business as usual.”
Cloquet schools aren’t alone, even if they do turn out to be the first district in the state to close school for computer repairs.
The weekend before, several major websites including the New York Times, the NFL and the BBC were hit by ransomware “malvertising,” when ads on their websites were hijacked by a similar virus that demanded payment in bitcoin to unlock user computer hard drives. As well, a Los Angeles hospital paid $17,000 in ransom to an attacker in February.
Cloquet Police Department Commander Derek Randall, who has long been a computer expert in the department, put the school district in touch with the FBI cyber crimes unit.
Randall said he’s sure the incident will be duly noted, but he didn’t think the FBI would come riding in to save the day.
“With this type of malware, you really rely on backups to restore [the encrypted information],” he said. “From what I was told, the FBI was trying to figure out what variant of ransomware it was, so they could try to track it.”
As for the Cloquet Police Department doing an investigation, Randall said this particular type of malware usually originates in Russia or China.
“A lot of times it comes in an email that has an attachment that someone clicks on and that isn’t screened by the anti-virus or anti-malware tool,” he explained. “The internet is flooded with these types of malware right now.”
So what can a business, a school district, or any computer owner do to prevent the same thing happening to them?
There are several preventative steps people should take.
Stay on top of computer updates so the system can flag and catch the viruses. Updates often patch security holes that hackers have exploited.
Purchase and make sure anti-virus systems are set to automatically update.
Make sure all the software you use, from Adobe Acrobat to Microsoft Word, is running in its most current and updated version.
Site advisor programs alert you to the risk level of a website before you enter it. Steer clear of high-risk websites because they can contain malicious code.
Beware file sharing sites. Sometimes files are fraudulent. You may believe you’re downloading your favorite song but in reality it is malware or a virus.
Don’t open email from strangers. And beware of unexpected email attachments, even if they appear to be coming from someone you know. They may have been hacked. Email them back to ask or, better yet, pick up the phone and check before opening suspicious files.
“I know some of you have been struggling with cold and flu viruses recently,” Scarbrough said at the start of a community meeting at the middle school this week. “I think computer viruses may be even worse.”