In February, teachers at the 53 schools in Horry County, S.C., arrived at work to find they could not access the data on their computers.
The first teacher to contact the IT department complained that she could not open her documents and presentations, and they had filenames ending with a .encryptedRSA extension. As other teachers called, the school district’s IT workers quickly realized that they had been hit by ransomware, and they took drastic steps, Charles C. Hucks Jr., executive director of technology for Horry County Schools, told members of the Senate Judiciary Committee Subcommittee on Crime and Terrorism on May 18.
“After the third school called with reports of encrypted files, the decision was made to shut down all district servers—well over 600—in an attempt to stop the encryption from continuing,” he said. “It was big, and it was virtually everywhere.”
Calling the incident “one of the most disruptive events in our history,” Hucks told lawmakers that while it’s easy for security experts to tell businesses to have good backups and never pay a ransom, the reality is that recovery is so difficult that paying criminals a fee is cheap by comparison.
“Even when backups exist, a restoration effort of this size to remote servers can take weeks and weeks, and each day [that] students and teachers do not have access to data that has been encrypted has a dollar value which rapidly exceeds the cost of … paying the ransom,” he said in prepared comments.
In the end, the school district paid the criminals nearly $10,000 to get the keys needed to decrypt their data.
The subcommittee hearing comes as incidents of ransomware are taking off.
The Internet Crime Complaint Center (IC3), a service maintained by the FBI, received more than 7,600 ransomware complaints between 2005 and 2015, according to Richard W. Downing, acting deputy assistant attorney general at the Department of Justice. Yet, the trend has accelerated, with citizens registering nearly a third of those complaints in 2015 alone, he said in a prepared statement.
In a blog post published on May 18, security firm FireEye stated that its customers have seen a significant spike in ransomware activity, with about six times as many of FireEye’s security appliances detecting ransomware in March 2016 as the month before.
While many companies and organizations are infected with ransomware after a worker clicks on a link or attachment in an email, the Horry County incident occurred after a cyber-criminal group found an Internet-connected server running a vulnerable version of the JBoss application server.
“The version of the application used requires an old version of JBoss, one that contains known vulnerabilities of remote code execution, and these vulnerabilities were used to install software on the server, take control of the server, and replicate throughout the server infrastructure of the district,” Hucks said in prepared comments.
In April, Cisco and other firms warned about the server vulnerability being used to attack K–12 schools and other organizations.
Hospitals, schools and small businesses have become common targets of ransomware attacks, Adam Meyers, vice president of intelligence for security-services firm CrowdStrike, who also testified in the Senate subcommittee, said in a prepared statement.
“Threat actors have likely taken note that victims such as hospitals have paid ransoms in the tens of thousands of dollars in order to recover their data, prompting them to look for other victims who provide critical services to target,” Meyers said.