GRESHAM, Ore. — This week the Centennial School District has started to bring some of its systems back online after a data breach a few weeks ago prompted a shutdown of computer systems.
KGW received information that district data has been posted on the dark web. The information was shared in confidence. This week we spent time verifying its validity.
Multiple cyber security sources have confirmed it appears data from the Centennial School District has been posted on the dark web related to a ransomware attack.
“Ransomware goes in and it will encrypt data on your computer so you can’t access it,” said Ken Westin, director of security strategy at ReliaQuest.
Typically, the attackers won’t offer a way to decrypt the data until a ransom is paid. KGW received a screengrab of the website containing district data. At the top of the page, a message from the group Babuk reads, “Negotiations with another organization from the USA failed, it’s a shame, it’s a shame, you always try to find a workaround and not pay, but it doesn’t work.”
“We actually don’t know very much about this group. They emerged earlier this year,” said Brett Callow, a threat analyst at Emsisoft.
Both Callow and Westin are cyber security experts, familiar with ransomware and the dark web.
Westin visited the site.
“Looks like it’s maybe a web server or file share that was compromised and the information on there doesn’t really look critical. It’s just like things around accidents and activity trip invoices, things like that,” said Westin.
Recent ransomware attacks
Westin said it appeared to be a fairly minor attack, especially when compared to the recent hacking incident involving Washington D.C. police attributed to the same group
“They have posted information relating to individual officers and they have threatened to release details on informants to the criminal gangs on which they’re informing,” Callow said.
He said ransomware attacks have been aimed at bigger companies and organizations in recent years but during the pandemic, with school districts all over relying more on computers, they’ve also become a target.
“There were about 60 attacks on school districts in 2020 and they affected about 1,600 schools in total,” Callow said.
“In some cases the data that’s been posted has been extraordinarily sensitive. In one case there were details of sexual abuse allegations by and against named students,” added Callow about a separate ransomware incident.
Westin said that a precise number of attacks is difficult to pinpoint because some don’t come to light after a ransom has been paid.
What the district is saying
Meantime, back at the Centennial School District, spokesperson Carol Fenstermacher said in a statement, “While the investigation is still ongoing, the District can confirm the attackers claimed to have exfiltrated and published data from the District's systems. Centennial is still working to determine the full scope of data exfiltrated and published, as well as whether that data contains any sensitive information. The District takes the security and privacy of information entrusted to it seriously, and the District will respond accordingly as it learns what specific information was exfiltrated or published. We regret the inconvenience and worry this incident has caused.
"Also, as we previously reported, we notified federal law enforcement of this incident, and we are currently cooperating with law enforcement.
"The Centennial School District appreciates our students, their families and our staff's patience as we continue to investigate and respond to this incident.”
KGW reached out to the Portland office of the FBI. A spokesperson said, "We are aware of the incident and have offered assistance."
Ransomware is a common problem
Callow said many ransomware gangs are located in Russia or eastern Europe where there’s no extradition treaty. Both Callow and Westin say ransomware is a common problem. Previously, ransomware attackers would target individuals and sell credit information they obtained. Now, targets have become larger organizations.
“They sort of got smart. They realized the data’s more valuable to the organization that we’re actually targeting so let’s go after the data, let’s encrypt it and make them actually pay for it,” said Westin.
“In terms of groups that steal and release data there are close to 30. In total more than 2,000 organizations have had their data stolen and posted online since the start of last year,” said Callow.
The model is complex with numerous groups involved in ransomware attacks, which have become a big moneymaker.
“You have the people who create the ransomware and then the people who then use it to carry out the attacks then they split the profits,” Callow said.
The term “software as a service,” where software is available on a subscription basis, has now become “ransomware as a service.”
“[It’s] where they’re actually renting out infrastructure to other affiliates. So these groups, like Darkside or Babuk, they’re not necessarily the ones that are hacking into infrastructure. A lot of times it’s some other affiliate that’s paying them for using their platform,” said Westin.
He said it’s possible for affiliates to work anywhere in the world with the infrastructure to carry out the attack, based mostly out of eastern Europe.
When it comes to deciding whether to pay a ransom, companies and organizations have to weigh risks.
“They have to identify the risks of that data if it was critical sensitive data or if it brought down a critical system, then they’d be more likely to pay the ransom. But if it’s 10 gigabytes of data that’s probably backed up somewhere else or if it’s easy to reproduce, they may not want to go and pay the ransom especially if they’re looking at $100,000 sometimes, even a million dollars for some of these ransoms,” said Westin.
There is some good news in that any data that may have been stolen and posted isn’t easy to find for the average person. Of course, there are people who do know how to access the data and that’s the concern.
Once data is posted, there’s not a whole lot people can do other than make sure they’ve got measures in place to protect their own sensitive passwords and data. Westin said people should consider using multi-factor authentication and endpoint security to protect themselves.