The Los Angeles Unified School District (LAUSD) is now slowly moving back to capacity after a ransomware attack launched over Labor Day weekend, which prompted an unprecedented shutdown of computer systems in an attempt to contain the effects of the malicious software. The attack on LAUSD, the second-largest school district in the US, put officials on high alert, with fears over lockouts from school management systems and unauthorized access to student data triggering a response from federal, state, and local partners.
But it’s not the first time LAUSD systems have been exposed to ransomware — and not the first warning the district has received about ransomware. The same systems narrowly avoided being hit with another similar attack in February 2021 after a system compromise, as confirmed by Hold Security CEO Alex Holden.
Holden told The Verge that his company discovered a device on LAUSD’s systems that had been compromised by the TrickBot banking Trojan, which is able to steal financial credentials from a target system and can also be used to install more damaging malware such as ransomware. (The 2021 intrusion was first highlighted by journalist Jeremy Kirk on Twitter.)
LAUSD was notified through a third party, Holden says, and presumed to have taken action. Soon afterward, the compromised device disappeared from the TrickBot botnet. Holden described the incidents as a “close call” for the school district, adding, “Unfortunately, this time it turned out differently.”
LAUSD has a total of more than 600,000 students, meaning the potential impact of the attack is huge. In a press release issued on September 7th, the district said that it was still moving toward full operational capacity but had encountered difficulties regaining access to systems.
On Tuesday, the district said that it had reset more than 53,000 student and employee passwords. But this prudent step also created further problems.
“While the District’s ability to intercept the attack by deactivating all our systems was the swift, decisive and prudent action to avoid a catastrophic breach, the recovery from the disruption has proven more challenging than initially anticipated,” the statement reads. “Password resets have and remain Los Angeles Unified’s biggest challenge, as students and employees must complete resets at District sites.”
Despite the password difficulties, LAUSD has still managed to return many other systems to an operational state. Earlier in the week, LAUSD superintendent Alberto Carvalho tweeted that some critical systems had been restored within two hours.
But experts say that full recovery from such an attack is not something that can be done quickly. Jon Miller, CEO and co-founder of anti-ransomware platform Halcyon, told The Verge that even seemingly restored systems can still be vulnerable.
Attackers often find targets using compromised login credentials, Miller said, or find other ways to bypass security products installed on the network. In some cases, these techniques give hackers persistent access to networks when a fix is attempted.
“Even if a victim has backups, they will need weeks and months of expensive recovery and incident response that must be completed to ensure the network is safe to run fully again,” he said.
LAUSD may be one of the largest school districts in the nation, but it’s far from alone in dealing with ransomware attacks. Doug Levin, who maintains a database of publicly disclosed school cybersecurity incidents, was able to point The Verge to four other school ransomware incidents that had taken place within a month of the LAUSD attack.
According to Levin, factors that make schools vulnerable range from resource constraints to a failure of school leadership to keep up with digital transformations in the learning environment. But policymakers were also responsible for leaving schools to set their own standards for cyber preparedness.
“On the cybersecurity policy side, the needs of school districts for support have been largely overlooked,” Levin said.
Nonetheless, in the aftermath of the attack, federal officials warned that ransomware attacks on schools may increase.
A joint cybersecurity advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that federal agencies have “observed … actors disproportionately targeting the education sector with ransomware attacks.”
Cyberattacks on schools may increase in the 2022–2023 school year as ransomware groups see opportunities for successful attacks, the advisory said, with K–12 institutions being attractive targets due to the amount of sensitive student data they handle.