Sun Sentinel Palm Beach Edition
Experts: Hacker crew’s latest scam target is school districts
The hackers who tried to extort Broward County Public Schools for millions early this month are a tightknit crew of ransomware scammers tied to nearly 300 attacks over the last five months, according to security experts.
Conti, as the group is known, first appeared near the tail end of 2020, said Chester Wisniewski, a principal research scientist at Sophos, a global cyber-security company that monitors ransomware threats.
The group, Wisniewski said, has set its sights on local governments, hospitals and now school districts. They pick the targets, he said, because security systems are often weak, overlooked and underfunded.
Wisniewski said Conti is a relatively new group among a dozen or so “big game hunter” crews in the ransomware underworld that collect million-dollar payouts by marshaling coordinated attacks on businesses and organizations.
Most crews, he said, operate out of Russia or nearby countries that don’t extradite criminals to the U.S.
After getting individuals within their target companies or organizations to allow them access into systems through spam emails, fake websites or other tricks, they set about gathering sensitive data like Social Security numbers, dates of birth and financial records and holding them hostage until a ransom is paid.
Often ransoms are paid in Bitcoin, a cyber currency that Wisniewski said can be quickly laundered into other cryptocurrencies that are hard to trace.
In February, the FBI reported that , over $144 million in Bitcoin has been paid out in ransoms between 2013 and 2019.
Wisniewski said ransomware attacks have been around since the 1990s but they have become more sophisticated and gone after bigger and bigger targets since 2013.
A national cyber task force made up of 15 government agencies investigates the attacks in the U.S., according to the FBI. The task force particularly focuses on attacks of networks that belong to hospitals, local governments, municipalities, and police and fire departments.
“These types of attacks can delay first responders in responding to emergencies or prevent a hospital from accessing lifesaving equipment,” an FBI release said in February. “It is imperative these organization be prepared in the face of the ransomware threat.”
According to Wisniewski, these agencies are often unprepared and ripe targets.
Unlike private companies and state and federal government agencies, smaller government bodies and school districts don’t often have the same resources to spend, he said.
Their money is supposed to be prioritized on services to the community like patching potholes or hiring teachers, which can create conflicts when it is instead directed to security efforts.
If a city government were to spend $500,000 of public money to upgrade its security systems and another $200,000 to hire a top technology professional, citizens might be up in arms, Wisniewski said.
A spate of cities in Florida were hit with ransomware attacks in 2019. They included Stuart and Key Biscayne, which were able to fend off the attacks using computer backups. The city of Riviera Beach was less fortunate and forked over $600,000 in Bitcoin to regain access to its locked computer system.
Chris Persaud, chief information officer for the city of Riviera Beach, took the reins of the city’s information technology system in 2020. He said that in addition to the ransom money, which was paid out through an insurance policy, the city spent $1 million more to shore up its security systems and add staff.
Persaud said getting money to spend on cyber security is one challenge, but a bigger one is the fact that city governments are subject to public records laws, which often air out their security strategy for anyone to see — including potential hackers.
“We’d rather not post our cyber-security risks out there or the tools we’re using,” he said.
In September 2020, a 16-year-old student crippled the Miami-Dade County Public Schools’ online learning system just as kids were set to go back to school. Attacks against school systems are on the rise, experts and law enforcement officials say.
In December 2020, the Cybersecurity and Infrastructure Security Agency, a federal agency, said cyber criminals like Conti have been aiming their sights more on schools due to the transition to remote learning during the COVID-19 pandemic.
From August to September, 57% of reported ransomware incidents involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July, the agency said.
Schools are data-rich environments due to the information they keep related to students, teachers and contracts that can be coveted on the dark web. The transition to distance learning likely made cybersecurity gaps more pronounced, leaving them more vulnerable, the Cybersecurity and Infrastructure Security Agency
The agency has launched ransomware awareness campaigns to educate schools, including the biggest piece of advice: Do not pay the ransom money.
Doing so, they said, only emboldens the criminals and provides an incentive for other groups to get in on the scheme.
In addition, Wisniewski said that victims who pay a ransom more often than not have to pay just as much if not more money to upgrade their security systems to guard against future crimes.
“Whether you pay or not, you’re on the hook for a bad week,” he said.