FORT LAUDERDALE, Fla. -- The computer system of one of the nation's largest school districts was hacked by a criminal gang that encrypted district data and demanded $40 million in ransom or it would erase the files and post students' and employees' personal information online.
Broward County Public Schools said in a statement Thursday that there is no indication that any personal information has been stolen and that it made no extortion payment to the ransomware gang, which as an apparent pressure tactic last week posted screenshots of its online negotiations with the district to its site on the dark web.
The Fort Lauderdale-based district said it is working with cybersecurity experts "to investigate the incident and remediate affected systems. Efforts to restore all systems are underway and progressing well. We have no intention of paying a ransom." The district did, after two weeks of back and forth, offer to pay $500,000, at which point the ransomware criminals apparently ended negotiations, according to the hackers' screenshots.
The district declined further comment outside its statement. With 271,000 students, Broward is the nation's sixth-largest school district with an annual budget of about $4 billion -- a fact the hackers kept returning to as they demanded $40 million, to be paid in cryptocurrency. The ransomware caused a brief shutdown of the district's computer system in early March, but classes were not disrupted.
"It is a possible amount for you," the Conti gang said early in its negotiations with a district official, whose name does not appear in the screenshots and has not been released. Its data-locking malware is one of the top 10 strains of ransomware.
"This is a PUBLIC school district," the Broward negotiator replied. "You cannot possibly think we have anything close to this!" It was unclear if the representative was a district employee or, as is often the case, a hired ransomware negotiator.
The FBI usually investigates such attacks, but said it would not confirm if it was investigating this one.
An epidemic of ransomware attacks has been plaguing government agencies, businesses and individuals for the past three years. Most are Russian-speaking gangs based in Eastern Europe and enjoy safe harbor from tolerant governments.
After the ransomware is activated, the criminals demand money to unlock the malware and refrain from posting -- or selling -- stolen data. In the case of corporations, that data could be trade secrets. In the case of retailers or government agencies it could be Social Security, bank account numbers and birth dates. Conti claimed it stole from Broward's system Social Security numbers, birth dates and other student and employee information.
Overall, ransomware attacks disrupted learning at 1,681 schools, colleges and universities in 2020 and at least 544 so far this year, said analyst Brett Callow at Emsisoft, a cybersecurity firm. Seven districts had personal data published.
Many ransomware cases go unreported due to the liability and stigma attached to victims. Cybersecurity firms have good data on ransoms paid in part because negotiations between victims and hackers occur on dark websites that researchers learn about through shared malware samples where criminals typically leave ransomware notes with instructions and demands. An entire subindustry has also emerged to help victims manage the emergencies.
In Conti's negotiations with Broward, after the gang's initial $40 million demand, it said it was willing to negotiate: it would accept $15 million in Bitcoin but it had to be delivered within 24 hours. Otherwise, it would upload the personal information it claimed to have and permanently lock the computer system. Conti said legal claims against the district for losing the data would exceed $50 million, so it should consider its demand a bargain.
"Pay $15M and you guys are guaranteed to solve your problem," Conti told the district.
The district insisted it still couldn't afford it and, in any case, didn't have access to Bitcoin. Ransomware gangs demand payment in cybercurrency because it can be difficult to trace.
The negotiations continued for two weeks, with Conti eventually lowering its demand to $10 million. The district made its $500,000 counteroffer. That is the last screenshot posted.