JEROME, Idaho (AP) — Nearly six weeks after being hit by a massive ransomware cyberattack, the Jerome School District is still working to recover.
On Dec. 11, school district officials found out much of its data was encrypted. Each affected file included a message from the cybercriminal: If you want your data in a usable form again, you must pay us four bitcoin.
The value of the virtual currency fluctuates. But at the time, it was equivalent to a total of $65,000.
The Jerome School District didn’t pay the ransom. School officials opted to rebuilt server systems using backed up files — ones that hadn’t been affected by the cyberattack.
“I know we’re very fortunate to have the (information technology) staff we have,” business manager Brian Bridwell said Friday. “Without this group we have, I don’t know what we could do. I don’t know legally if a school district can pay a ransom.”
The best information the school district has now is the cyberattack encrypted data, but wasn’t a theft and no confidential information was compromised, Superintendent Dale Layne said. “To our best of our knowledge, there wasn’t any data stolen.”
School district officials weren’t available to provide information to the Times-News about the incident shortly after it occurred.
It was the Jerome School District’s first time as the victim of a ransomware attack. The Idaho Attorney General’s Office hasn’t been notified of any other school districts affected, spokesman Scott Graf wrote in an email to the Times-News.
But it doesn’t mean school districts and businesses aren’t being targeted, he said. Crimes may have been reported to local law enforcement agencies instead.
The Jerome School District has now been able to restore its most of its computer systems, such as payroll and its student database.
“We have the critical data restored for the most part,” Layne said.
About 95 percent of processes are functional, but there are still some connectivity issues, such as with a food service computer program and PowerSchool, a student management system.
And the school district is still using a temporary website.
Within a week after the cyberattack, the school district started working with Kroll, a worldwide cyber security company. The school district’s insurance carrier is covering that cost, Layne said.
So far, “they haven’t been able to give specific answers about what information has been affected,” Layne said, but it’s very similar to other cases they’ve seen across the nation. “We’re trying to find out how (the cybercriminals) got in.”
Layne has done research and found out similar cyberattacks have happened all over the nation.
“It sounds like they — whoever they are — do try to go after municipalities like schools and hospitals,” he said, because they don’t tend to have a large IT staff.
The school district’s three-person technology department — with help from Jerome High School IT workers and the district’s vendors — spent hours restoring and cleaning up systems, rebuilding computers and buying new equipment. It also had to upgrade some of the server systems.
There were multiple backups, Layne said, but some were affected by the cyberattack.
“Kroll was very complimentary to our IT department,” Layne said, adding the company was surprised the school district had backed up files it could get up-and-running so quickly. “There have been situations where whatever entity paid ransom to get data back.”
All of the Jerome School District’s campuses were affected by the cyberattack. The district has about 4,000 students and several hundred employees.
One of the biggest impacts: The phone system was down for a couple of days.
“The phones were one of the primary systems we restored first,” Bridwell said, followed by the district’s financial software later on.
When phones weren’t working, parents couldn’t call in their child’s school absence. Instead, parents were asked to send an email to all of the school secretaries and they’d receive a phone call back from a school employee via cell phone.
In classrooms, some lesson plans were affected. All Windows-based computers in classrooms and computer labs weren’t working. But mobile computing devices such as Chromebooks were still up-and-running.
At school campuses, day-to-day life is somewhat back to normal. But it’s still an ongoing effort at the school district office and the extra workload continues.
As a result of the cyberattack, “we’ve learned a few things,” Layne said. “We’re doing a better job with preparing.”