It was like a sudden punch in the gut, eliciting the feeling that things were about to get much worse before they would get better.
“An employee opened an email and introduced a virus into the system, and from there it spread like wildfire and just took over,” Taos Municipal Schools Superintendent Lillian Torrez said, referring to the ransomware attack that shut down the district’s computer system.
The attack in February 2019 was costly in time and money.
“It was a wakeup call,” Torrez said. “We don’t think this can happen to us. It’s just hard to believe, and when it does happen, you get this sinking feeling because you don’t want to believe it.”
Torrez is not alone. Two other school districts, one university, one New Mexico city, one county and one state government agency have collectively spent millions of dollars to regain control of their computer systems after employees unknowingly opened emails containing an encrypted code that effectively shut them out of their systems.
An alert or ransom note is usually displayed on monitors, telling victims how much the ransom is and how to pay it in order to access a digital key, or code, that returns control of the computer system to the victims.
The ransomware attacks occurred between January 2018 and February 2020.
The New Mexico victims were not targeted because they were perceived to have an abundance of cash; rather, they were the victims of a practice called “phishing,” in which hackers send out a blanket posting of hundreds or thousands of emails, explained Mary Adkins, supervisory special agent of the cyber squad in the Federal Bureau of Investigation’s Albuquerque field office.
“They’re going after school districts, hospitals, health care companies, law enforcement services, governments, individuals, mom and pop businesses – it’s a numbers game for them,” she said. “Whatever they get their hooks into, that’s what they go after.”
The most recent attack victimized the Gadsden Independent School District in February. Computer servers, internet, phones and email service across all 24 schools were locked out, said district spokesman Luis Villalobos.
Technicians are now “scrubbing and reloading about 8,000 individual devices throughout the system – they have to start from scratch and reboot the entire system on each device,” he said. “It’s a daunting task and a major inconvenience bordering on a disaster.”
And it’s the second time it’s happened to the district.
The most likely cause was a computer that had been infected in the previous July ransomware attack and was reconnected to the network without first having been checked by the technology department, Villalobos said.
No payroll, personnel or student data was compromised. The full cost of the recent attack is not yet known, but restoration after the previous attack took four months and set the district back about $1.9 million, he said.
“We kind of take for granted the convenience and immediacy of internet communication, so when this happens it shows our vulnerability. We are trying to create a firewall to prevent this in the future, but the reality is, even with the best protections, anybody who is dependent on the internet can be a victim.”
Often, the hackers seek a ransom to be paid in bitcoin, monero or some other form of cryptocurrency, which is commonly used on the “dark web” to purchase things that may be illegal or at least questionable, Adkins said.
The value of cryptocurrency fluctuates widely, but a single bitcoin today is worth just under $10,000.
The FBI investigates ransomware attacks because it’s a federal crime involving international wire fraud, as well as a violation of the Computer Fraud and Abuse Act.
While many ransomware attacks lock the user out until a ransom is paid, the FBI is seeing an uptick in “combination attacks,” in which data is stolen before locking out the computer.
“Sometimes the malware will just sit on the network and listen for any traffic coming through, including email communications, possibly sensitive business documents, whatever they can get they’ll take,” Adkins said.
The ransomware attacks to the New Mexico entities were of the lockout-only kind and none of the victims reported data or confidential information being compromised. Neither did any of the victims communicate with the hackers, though the ransom of one victim was paid through an insurance company.
In nearly every case, computer hard drives, servers, files and devices attached to the system had to be wiped clean by deleting programs and operating systems, then reloading them, a task made easier where there were backup systems that were not attached to the servers and which remained uncorrupted.
According to Adkins, the number of ransomware attacks is growing nationally. The same goes for New Mexico, where 15 attacks were reported in 2019 compared to seven in 2018.
“One challenge is it’s an under-reported crime,” she said. Victims fear bad publicity if it becomes public that their files may have been compromised.
Even people who do report the crime don’t always subsequently report that they paid a ransom, Adkins said. Consequently, it’s difficult to calculate the actual cost of a ransomware attack, particularly when factoring in the value of productivity lost and time invested to restore the system.
And while the FBI is pretty certain that ransomware attacks are not originating in the United States, it’s difficult to determine which countries they do come from.
“It’s very easy to obfuscate the IP (Internet Protocol) addresses that are used to send those emails through VPNs (virtual private networks),” Adkins said. “And usually they go through several hops before actually reaching the target.”
The geographic location, however, “isn’t as relevant because it’s not generally state actors we’re seeing; it’s more individuals and organized crime,” she said. Further, it is difficult to prosecute these individuals because they usually live in countries that aren’t friendly to extradition, she added.
Consequently, the FBI’s primary focus is on ransomware prevention.
San Miguel County was unable to prevent the ransomware attack last January that locked out 10 computers and compromised its backup system, but the computers were up and running quickly because the county purchased insurance, which paid the ransom, said Taylor Horst, risk management director of the New Mexico Association of Counties.
“We offer a commercial cyber liability insurance policy to our members,” Horst said. So when the attack occurred, “San Miguel County called the hotline, the carrier immediately hired a legal firm and they immediately hired an IT forensics firm that started dealing with the bad guys on the dark web.”
The forensics firm negotiated a ransom of 24 bitcoins, worth about a quarter of a million dollars, down from the original ransom demand of 43 bitcoins, Horst said.
“At some level, it’s fair to say that no county in New Mexico is safe.” In fact, he added, no business entity is safe. “All it takes is one person to click on a fraudulent email and then ostensibly the entire network can get infected. It takes an enormous amount of education as well as proper network segmentation to avoid getting infected.”
Even with that, “there are no guarantees.”
The attack at Taos Municipal Schools affected 16 servers and 61 computers across seven of the 10 schools in the district, sparing only the charter schools, each of which had separate systems, she said.
The district’s financial system was up and running within six hours because it had been backed up; unfortunately, no such backup existed for the library program.
“The software with every book in our district, had to be reconstructed,” Torrez, the superintendent, said. “We had to hire district employees over the summer at an hourly rate to reconstruct it, to go through every book and code it.”
The district also hired an IT contractor who worked until 2 a.m. for a couple of months after the ransomware attack.
Torrez called the situation “shocking and unpleasant.”
Thus far, the attack has set the district back about $187,000, with another anticipated $11,000 in expenses for upgrades and added security, she said.
“We now have 24-7 monitoring and other safety measures in place. We learned the hard way.”