Athens ISD has a message for its cyberattackers: Nope.
On Tuesday morning, the tech team at Athens ISD became aware the district had fallen victim to a ransomware attack, which encrypted many years’ worth of vital data stored on school district servers. On Wednesday, the AISD Board of Trustees authorized payment of up to $50,000 to cybercriminals in return for a crypto key to unlock the data. At the same time, the district’s IT department, aided by regional and federal cyber response teams, executed a careful and meticulous response protocol with the hope that one of the backup systems might yet hold uninfected data. On Thursday, the second backup server was analyzed, and there it was: an uninfected Skyward backup only a few days old.
“It felt incredible,” reports AISD Technology Director Tony Brooks, who has worked nearly round the clock since discovering the attack. “The Skyward database is the most important one we have.”
Skyward went back online Friday afternoon, making it possible for student registration to continue in preparation for a virtual return to school. At this time, the new Aug. 10 start date seems likely to remain in place, though an announcement will be made as soon as possible in the event more time is needed for recovery.
“We’ve built a new domain controller and recovered Skyward, but we have a lot of work left to do. Everything will be brand new when we’re done. We have to make sure all the data is clean,” said Brooks. “We won’t be able to recover data from employees’ individual computers. We’ll have to go to every computer in the district and install new hard drives.”
Brooks also noted that even as they worked to recover data, negotiation efforts reduced the ransom demand from $50,000 down to $25,000.
“Though the payment was approved, we never stopped trying to find a solution,” said AISD Superintendent Dr. Janie Sims. “The board deserves credit for recognizing how dire the loss of data would have been to our district, requiring months to rebuild, delaying the school year significantly, and ultimately costing us much more than the ransom amount.”
Engineers from the cybersecurity firm Fortinet have confirmed there is no evidence of any data being removed from district servers by the criminals. “They are able to tell if any data left our district by looking at our logs,” said Brooks, “and there is no sign of data removal. We have no reason to believe anyone’s personal information was taken.”
“Mr. Brooks deserves a massive amount of credit for his efforts and professionalism,” said Sims. “He worked tirelessly. And we’re also grateful for the ongoing assistance from the Region 10 Educational Service Center, Fortinet, and the Center for Internet Security.”
The experts from Fortinet say the virus — identified as COVID4YOU — originated from overseas and appears to be a new one.
“Cybercrime is getting worse and worse every day,” said Brooks. “It’s a huge battle. No amount of money can keep any organization totally safe.”
The effort to identify weak spots and make improvements in the district’s online security protocols is ongoing.