close
close

topicnews · September 21, 2024

The clock is ticking on ransomware attack on Providence schools • Rhode Island Current

The clock is ticking on ransomware attack on Providence schools • Rhode Island Current

There are six days left before a hacker group threatens to release over 200 gigabytes of data stolen from the Providence Public Schools Department (PPSD) unless the troubled school district pays a $1 million ransom.

The hacker group Medusa claims responsibility for the alleged data theft, which apparently includes a cache of parents’ emails, phone numbers and addresses, as well as driver’s licenses and identification information from district employees’ work cell phones (as of January 2024).

The potential data leak came a week after the district sent a letter to the PPSD community on Sept. 12 noting “irregular activity” on the school district’s network. The district hired an outside IT company to determine next steps, and then shut down internet access in all district schools and offices to prevent further damage. As classrooms returned to traditional instruction, a forensic analysis of the suspicious activity began.

“IT staff followed appropriate security protocols and worked to isolate the issue, which has now been contained,” the letter said. “The school’s security systems and protocols remain active while classes continue.”

Superintendent Javier Montañez provided an update in a Sept. 16 letter: “Currently, all Internet-connected systems remain down while IT professionals are working diligently to assess the network and determine next steps for a quick resolution. … We would like to emphasize that at this time, there is no indication that PPSD data has been impacted.”

In another letter dated September 16, Montañez wrote: repeated that “initial findings did not indicate that the district’s data had been compromised.”

GoLocal Prov and national technology news portal Comparitech have reported the ransomware group Medusa as the culprit. And on Wednesday morning, Providence School Board President Erlin Rogel issued a statement saying the board would meet with Montañez in closed session Wednesday evening during a regular session.

“The Providence Public School District has experienced a network security breach and the school district intends to address it immediately,” Rogel said Wednesday morning.

“Tonight we are meeting in board meeting to hear from the superintendent how the breach occurred, what steps are being taken to remediate it, and how we will support students and families during the outage. We also want to hear what liability our network security provider has and what steps are being taken to ensure this does not happen again.”

“As is our practice, the district and its professional third-party IT agency contacted the RI State Police, Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) last Wednesday,” PPSD spokesman Jay G. Wégimont said in an email Wednesday. “Please note that this was also done out of an abundance of caution and that analysis is ongoing.”

The Rhode Island Department of Education, which oversees Providence schools, is aware of the situation and is “working closely with the district,” said spokesman Victor Morente.

“To our knowledge, a forensic analysis of the network is currently underway, which will provide further information on the incidents,” Morente said. “That is all we have at this time.”

The Providence School Board will meet with the superintendent of schools in a closed session Wednesday evening to discuss the next steps following a data breach and hackers’ demand for a $1 million ransom. (Alexander Castro/Rhode Island Current)

Internal memos, invoices and potentially confidential information

Ransomware works by encrypting files into unusable formats and then forcing the data’s owners to pay, usually within a specified period of time. True to its snake-haired namesake Medusa petrifies files into an unusable format which can only be decrypted by the attackers themselves. The group also publishes the files publicly at the end of the countdown if the ransom amount is not paid.

On Monday, nearly a week after the network outage was announced, a ransom note page was posted containing a series of 41 watermarked screenshots that supposedly provide a preview of the data dump. Some of the information was already publicly available, such as requests for proposals and tender documents for county contractors.

Much of the data, however, is not intended for sharing. Among the items previewed are: internal memos, invoices, computer inventories, student lists and a meeting transcript that was intended for the parents of a student who receives special education. Another spreadsheet appears to obscure student names but lists developmental disabilities. Some of the files appear to belong to individual teachers’ computers provided to them by the school district. The largest folder contains a number of subfolders containing potentially sensitive human resources, technology, communications and special education information.

The hackers apparently gave the school district several options: For $100,000, the timer can be extended by one day. For $1,000,000, the data can be deleted or downloaded. The source code of the site suggests that payment would be made in Bitcoin, the best-known cryptocurrency.

PPSD is one of eight ransomware attempts currently listed as in progress on the Medusa blog. The most recent – Compass Group, a food company in Australia – was posted on Tuesday and demands a ransom of $2 million for nearly 800 gigabytes of data. Compass Group confirmed It is extorted by Medusa to Cyberdaily.au on Wednesday.

The Medusa group is unusual among ransomware actors in that it also has a presence outside the dark web and publishes the results of its illegal activities on websites outside the dark web, according to cybersecurity researchers. Unit 42. The group rose to prominence in 2023 and has carried out a series of ransomware attacks this year, typically targeting healthcare, education, technology, and manufacturing companies. The ransomware uses “Living off the land” techniques to successfully infiltrate targets, which means exploiting existing network infrastructures for vulnerabilities. Computers running Windows are the usual targets.

Meanwhile, PPSD still has a Job advertisement online for a Senior Director of Information Technology. The position has been open since May. Wégimont acknowledged a request for clarification on whether the position is still open, but did not respond by press time on Wednesday.

There was 13 full-time positions for the PPSD’s information services are provided for in the 2024-2025 budget.

Get the morning’s headlines straight to your inbox

You may also like...