A researcher said he discovered an open data cache with names, grades, birthdates and more, after the Clark County School District refused to pay the ransom.

Personal information for students in the Clark County School District, which includes Las Vegas, has reportedly turned up on an underground forum, following a ransomware attack that researchers say was carried out by the Maze gang.

In early September, the Associated Press reported that the district was crippled during its first week of school thanks to a ransomware attack, potentially exposing personal information of employees, including names and Social Security numbers. The Clark County School District (CCSD) quickly confirmed the reporting via a Facebook post, where it noted that three days after school began online, on August 27, it found many of the school’s files to be inaccessible – though online learning platforms weren’t affected. At the time it said that “some private information may have been accessed.”

This week, Brett Callow, a threat analyst with Emisoft, told the Wall Street Journal that student information has turned up in an underground forum.

Callow said that a warning shot was fired last week by the attackers, presumably in retribution for CCSD not paying the ransom of an undisclosed sum. Attackers, he said, released a non-sensitive file to show that they had data access. When that garnered no response they released a raft of sensitive information. That information included employee Social Security numbers, addresses and retirement paperwork; and student data such as names, grades, birth dates, addresses and the school attended. The hackers also announced that the data reveal represents all of the information that it stole from CCSD’s network.

When Threatpost reached out to Emisoft for more details on the data cache, Callow said that in total, the criminals — specifically, the Maze gang — published about 25GBs of data.

He also said that no password was needed for access to the information.

“The data was published on leak sites on both the clear and dark webs,” he told Threatpost. “It can be accessed by anybody with an internet connection who knows the URL.”

For its part, the district said in a statement Monday that the reporting has not been verified: “National media outlets are reporting information regarding the data security incident CCSD first announced on Aug. 27, 2020. CCSD is working diligently to determine the full nature and scope of the incident and is cooperating with law enforcement. The District is unable to verify many of the claims in the media reports. As the investigation continues, CCSD will be individually notifying affected individuals.”

Callow told Threatpost, “the data would certainly appear to be legitimate.”

Threatpost reached out to CCSD for more information on the ransom amount and other details. When it comes to the extortion piece, a similar attack in July on the Athens school district in Texas led to schools being delayed by a week and the district paying attackers a $50,000 ransom in exchange for a decryption key.

More ransomware operators are setting up pages where they threaten to publish compromised data from victims – an added pressure for victims to pay the ransom. The ransomware tactic, call “double extortion,” first emerged in late 2019 by Maze operators – but has been rapidly adopted over the past few months by various cybercriminals behind the Clop, DoppelPaymer and Sodinokibi ransomware families.

“The number of successful attacks on school districts has increased significantly in recent weeks, with at least 12 falling victim this month alone,” Callow told Threatpost. “The attacks have disrupted learning at up to 596 individual schools. The number of cases in which data is exfiltrated has also increased: at least five of the 12 districts had data stolen and published online.”

lia Kolochenko, founder and CEO of web security company ImmuniWeb, noted that the CCSD story could get messy if parents choose to sue the district over the attack and its handling of it.

“What may be tricky is an eventual lawsuit by the victims against the school,” he said via email. “The crunchy point will be whether a failure to pay a ransom, to preclude data from being published, may be construed as a failure to remediate the damage and thus make the school civilly liable for this specific leak and its consequences. The monetary damages will, however, likely be of a nominal value as evidenced by recent litigation in the US involving similar data breaches. The best avenue will likely be a settlement, providing the students with a necessary support to negate reasonably foreseeable consequences of the data breach and exposure of their PII [personally identifiable information.”

School Attacks Continue

A slew of ransomware attacks and other cyberthreats have plagued back-to-school plans — as if dealing with the pandemic weren’t stressful enough for administrators.

In addition to the Clark County and Athens incidents, an attack on Hartford, Conn. public schools earlier in September led to the postponement of the first day of school. According to a public announcement, ransomware caused an outage of critical systems, including the school district’s software system that delivers real-time information on bus routes.

Also, a recent ransomware attack against a North Carolina school district, Haywood County Schools, caused the school to close to students for days.

Security researchers have said that cyberattacks may likely become the new “snow day” – particularly with the advent of pandemic-driven online learning. As students prepare to return to school, schools are facing more complex cyber-threats. For instance, the need for data, monitoring and contact-tracing become key factors in students returning to in-person classes, and remote students will have longer periods of time where they are connected to the internet.

Meanwhile, researchers have warned of projected seven-fold increase in ransomware overall for 2020, compared to last year – with some strains being more worrisome than others.

“One ransomware variant that is particularly concerning is Ryuk, which has been attributed to North Korean and Russian threat actors,” said Jeff Horne, CSO at Ordr. “Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents and compromised accounts.”

He added that many of the ransomware attacks come with additional pain.

“Some threat actors are still piggybacking Ryuk behind some other trojans/bots like TrickBot, QakBot and Emotet, and some of those can use the EternalBlue vulnerability to propagate,” he said.

© 2020 - NCA CERT

For emergency cases         0800-977-977