A year after the May 2021 breach of some district emails it is still unclear if the incident could have been prevented and if the district paid a ransom to regain any stolen data
VISALIA – It’s been over a year since Visalia Unified email accounts were hacked as part of a cyber security attack to hold district information ransom. And while the district has said the breach was “relatively limited,” questions still remain about whether or not the district could have done more to prepare for and possibly prevent the incident.
The district became aware of the ransomware attack on May 18, 2021 when it impacted the operation of the district’s information technology (IT) systems. Ransomware is a type of malware, short for malicious software, used for digital blackmail where a person or group hacks into a server and locks out the user threatening to publish the data unless they pay a ransom. Ransomware typically gains access to a server when one of the users clicks a link or downloads a file which in turn downloads a virus locking the user out of their own data.
In a Jan. 14, 2022 email, Interim Superintendent Doug Cardoza said the data breach did not impact the district’s student information system or employee databases and was limited to “some District email accounts.” Visalia Unified has yet to confirm if the district paid any money to restore the data.
“[T]his was a confidential, privileged investigation and VUSD has not been able to provide further comments on this incident and all questions from the media were deferred to our law firm,” the district stated in a May 26, 2022 email in response to the aforementioned questions. The district’s law firm, Lozano Smith, did not return calls as of press time.
Eighteen days before the cyber attack, Tulare County District Attorney Tim Ward sent a letter to the Tulare County Office of Education and school districts in seven cities, including Visalia Unified, warning “there has been ransomware threats targeting institutions and networks inside Tulare County.” The ransomware known as PYSA, an acronym for Protect Your System Amigo, was targeting education institutions in 12 US states and the United Kingdom, according to an alert from the FBI’s Cyber Division, and had already found its first local victim in Woodlake Unified School District.
“It is very important that you share this information with your Information Technology (IT) personnel so they can prepare for potential attacks,” Ward wrote in the April 30, 2021 letter.
Ward sent the letter at the urging of Anthony Benitez, a digital forensic investigator with the DA’s Office nationally recognized for his work in the field. Once ransomware finds a vulnerable entry point into a system, Benitez said it begins rapidly copying all of the files into an online folder. After all of the files have been copied, the software encrypts the folder and then sends out a message notifying the user the files have been locked and can only be restored by paying a monetary ransom.
Benitez, a Certified Cyber Crime Examiner and an instructor for the Department of Justice’s Cyber Crimes Training Program, said the copying process takes between 14 days and eight weeks on average, depending on the size of the network being hacked.
The timeline sheds little light on whether or not the DA’s warning could have prevented the cyber attack on VUSD, as the letter was sent out to districts 18 days before the district became aware of the attack.
Woodlake was first
Benitez said Woodlake Unified reached out to the District Attorney’s Office on April 9 about its attack.
“By luck of the draw, Woodlake just happened to get hit first,” Ward said.
Woodlake Unified Superintendent Laura Gonzales said her IT Department was able to catch the unauthorized access of information within three hours of the initial breach and immediately shut down all of the systems to prevent the spread of the virus.
“It was absolutely devastating because our kids were expecting to be taught virtually and we had no internet,” she said.
Gonzales quickly called the Woodlake Police Department who recommended she reach out to Benitez at the DA’s Office. Her next steps were to notify the Tulare County Office of Education and to warn her fellow superintendents. Hackers never gained access to personnel files or student information but were able to access files on district laptops employees had used for personal business, as most employees were working remotely in the spring of 2021. Gonzales said the district decided not to pay the money to get the information back.
“My board and I said, ‘Absolutely not. We’re not going to reward the thief’,” Gonzales said.
Benitez, who has trained in digital forensic investigations with the FBI, worked closely with Woodlake Unified to identify where the breach occurred. He connected the district with Breadcrumb Cybersecurity in Fresno who helped speed up the process of rebuilding their system from its most recent data backup and getting WUSD back online, a process that took Woodlake about five days, according to Gonzales. Rarely are the individuals behind cyber attacks identified and brought to justice, so the primary goal of the DA’s office is to help districts get back online as quickly as possible.
“Our Bureau of Investigations Digital Forensics Unit works closely with the FBI to assist in these types of investigations and the recommendation from our experts is to be prepared before it is too late,” Ward stated in the letter.
Benitez said the time it takes an organization to restore its systems depends on how comprehensive the ransomware attack was, how recent the backup is and the amount of staff working to rebuild the system. In the case of VUSD, Cardoza said district staff took swift action to shut down systems district-wide, allowing VUSD to identify and stop the ransomware attack before it took full effect. Most of those systems were back online later that day, lending credence to the district’s claim “the ransomware attack failed,” according to a Jan. 14, 2022 email from the interim superintendent.
Ward said Visalia Unified did not reach out to his office for assistance following the warning letter but he did say the letter included a report from the FBI on information about this specific type of ransomware and recommendations for districts to test their systems for vulnerabilities to help districts “prepare for potential attacks.”
The recommendations included:
- Regular backups stored offline
- Separation between networks within an organization
- Multifactor authentication for users, where possible
- Keep software and firmware up to date
- Implement a recovery plan in case of a breach
- Regularly, change passwords to network systems and accounts
- Disable unused remote access ports and monitor remote access logs
- Audit user accounts with administrative privileges and limit where possible
- Only use secure networks and avoid using WiFi
- Install and regularly update anti-virus and anti-malware software on all hosts
“No matter what business we are in, from education to government, from supermarkets to business offices, we are living in an era where our IT personnel are critical to the safety and security of our daily functions,” Ward stated in his letter.
Any organization, business or individual who has been the target of a cyber attack is encouraged to reach out to the District Attorney’s Office by calling (559) 636-5410 or the FBI directly by emailing [email protected] or calling 1-855-292-3937.