Athens ISD recovers data on backup, won’t pay ransom

Athens ISD Cyber Attack

From Athens ISD

ATHENS, Texas - On Tuesday morning, the tech team at Athens ISD became aware the district had fallen victim to a ransomware attack, which encrypted many years’ worth of vital data stored on school district servers. On Wednesday, the AISD Board of Trustees authorized payment of up to $50,000 to cybercriminals in return for a crypto key to unlock the data. At the same time, the district’s IT department, aided by regional and federal cyber response teams, executed a careful and meticulous response protocol with the hope that one of the backup systems might yet hold uninfected data. On Thursday, the second backup server was analyzed, and there it was: an uninfected Skyward backup only a few days old.

“It felt incredible,” reports AISD Technology Director Tony Brooks, who has worked nearly round the clock since discovering the attack. “The Skyward database is the most important one we have.”

Skyward went back online Friday afternoon, making it possible for student registration to continue in preparation for a virtual return to school. At this time, the new Aug. 10 start date seems likely to remain in place, though an announcement will be made as soon as possible in the event more time is needed for recovery.

“We’ve built a new domain controller and recovered Skyward, but we have a lot of work left to do. Everything will be brand new when we’re done. We have to make sure all the data is clean,” said Brooks. “We won’t be able to recover data from employees’ individual computers. We’ll have to go to every computer in the district and install new hard drives.”

Brooks also noted that even as they worked to recover data, negotiation efforts reduced the ransom demand from $50,000 down to $25,000.

“Though the payment was approved, we never stopped trying to find a solution,” said AISD Superintendent Dr. Janie Sims. “The board deserves credit for recognizing how dire the loss of data would have been to our district, requiring months to rebuild, delaying the school year significantly, and ultimately costing us much more than the ransom amount.”

Engineers from the cybersecurity firm Fortinet have confirmed there is no evidence of any data being removed from district servers by the criminals. “They are able to tell if any data left our district by looking at our logs,” said Brooks, “and there is no sign of data removal. We have no reason to believe anyone’s personal information was taken.”

“Mr. Brooks deserves a massive amount of credit for his efforts and professionalism,” said Sims. “He worked tirelessly. And we’re also grateful for the ongoing assistance from the Region 10 Educational Service Center, Fortinet, and the Center for Internet Security.”

The experts from Fortinet say the virus — identified as COVID4YOU — originated from overseas and appears to be a new one.

“Cybercrime is getting worse and worse every day,” said Brooks. “It’s a huge battle. No amount of money can keep any organization totally safe.”

The effort to identify weak spots and make improvements in the district’s online security protocols is ongoing.

“We had to follow a really specific and meticulous protocol and so it wasn’t until I want to say sometime Thursday that we identified that the second backup server did indeed have clean data, our most important database was uninfected.” said Athens ISD Communications Coordinator Toni Clay.

Clay said the district is very fortunate their safety protocols worked.

“We’re very fortunate that the safety protocols in place, while not foolproof, because frankly there is no such thing as an entirely foolproof safety protocols for cyberattacks, but what we had in place did indeed work, so we were jubilent to put it mildly,” Clay said.

Clay also said they are reviewing their safety protocols so the district can be better prepared when and if another cyberattack comes in the future.

“We’re fortunate we’ve come out ahead and we’re reviewing our safety protocol, our online safety protocols, so that we can be that much more prepared for the next attack should it come, although we certainly hope it does not,” Clay said.

Copyright 2020 KLTV. All rights reserved.