The hackers who targeted the Los Angeles Unified School District have demanded ransom, officials confirmed Tuesday, suggesting the attackers have extracted sensitive data or believe they can bluff the district into thinking they did.
“We can confirm that there was a demand for it,” says Supt. said Alberto Carvalho. “There has been no response to the question.”
Carvalho declined to reveal the amount of the ransom or provide any further information about what information the attackers may have.
He said there have been “no new security breaches” and the school system continues “our ramping up of apps and systems.”
Officials said they are optimistic that social security numbers and other sensitive employee information will remain safe. But the outlook may be different with regard to student information, such as grades, course schedules, disciplinary records, and disability status. The district does not collect social security numbers for students and parents.
Earlier, Carvalho announced that the attackers extended their TBEN for entering into negotiations without specifically mentioning a ransom amount. The district, Carvalho added, is following the advice of experts and law enforcement, including the FBI and the Los Angeles Police Department.
In a related development, federal officials Friday announced a new major grant program to help public agencies better protect themselves from cyber-attacks.
The demand for money was widely anticipated in the wake of the cyberattack, which was discovered on the night of September 3, the Labor Day weekend.
Hackers typically threaten to put sensitive data online if they are not paid, but it can be difficult to determine what they have obtained, and they can lie.
In general, such payments are a bad idea, says Clifford Neuman, director of the USC’s Center for Computer Systems Security.
“It is important for any organization affected by ransomware to understand that even if they pay a ransom demand, they will still incur significant IT costs and delays to repair the system,” Neuman said. “The best course of action is not to pay the ransom and restore systems from backups.”
He added: “There is no reason to believe that the criminals would actually delete the exfiltrated data even if the ransom is paid.”
The attempted data theft was part of the attack on LA Unified. The other involved an attempt to disable the neighborhood’s computer systems, rendering them inaccessible.
While both elements of the attack were only partially successful, full recovery was difficult. For example, the information for an Education Council meeting on Tuesday came via a temporary, cumbersome web page. Campuses reopened as scheduled the Tuesday after Labor Day, but many students, parents and staff said an entire week of instruction was lost as engineers double-checked and gradually rebooted systems and as users reset more than 600,000 passwords.
Along the way, the district discovered malware left behind by the attackers, which had the potential to do more damage if undetected and carefully disabled.
Carvalho described the malware as “a digital tripwire left behind that, if activated, will further disable or infect systems.” This discovery delayed the reset of neighborhood passwords, in part due to concerns that the new passwords could also be stolen.
Operations went smoother in the second week after the attack, although engineers are still trying to restore the online system that LA Unified uses to handle the purchases and bidding process for sellers and construction projects.
While a recent audit revealed gaping flaws in the district’s online security, LA Unified is far from alone.
“The only unusual thing about this attack is that it involved the second largest school district in the country. Other than that, incidents like this are unfortunately all too common,” said Brett Callow, a threat analyst at Emsisoft, a cybersecurity firm. “As of this year, 25 other districts with 425 schools are in the same position as LAUSD.”
Most of those incidents resulted in the online leakage of stolen data.
A site that tracks cyber-attacks reported that a California county office of education recently paid a $400,000 ransom.
The LA Unified attack has been linked to a criminal syndicate calling itself Vice Society, though authorities have declined to confirm.