Montana Public Radio

How Havre Public Schools Handled A Ransomware Attack

Feb 19, 2020
Originally published on February 19, 2020 4:13 pm

 

Havre Public School’s computer system was infected with a ransomware virus in early February. It knocked out the district computers for about a week but the system is back online now. This is the 4th reported cyber attack on a Montana school district since 2016, according to tech company SecuLore Solutions. State officials say they don’t keep track of cyberattacks of this kind.

YPR New’s Jess Sheldahl spoke with Paul Dragu of the Havre Herald about how the district dealt with the hack.

 

Jess Sheldahl: Can you give us a recap of what happened to the Harvard Public School computer system?

Paul Dragu: Most of this is based on what the superintendent had told me. From my understanding he got a call very early on from people at the school staff who had found out that the network system, a computer system, had been hacked by ransomware and particularly Ryuk, which he over the week he learned, is linked to Russian cyber criminals.

And so as they learned what they had, they called, you know, attack experts. They had their own. They had two staff members, from my understanding, who are also full time, who deal with that stuff. And they called insurance companies. They called the databases that are in charge of their employee and student information. One of the first things they did is they pretty much unplugged anything that was capable of transmitting information, their computers, their printers, phones, all of that stuff.

When I asked about what kind of ransom they were asking for, his exact quote was there was something about in the tens of millions. It was apparently so outrageous. And he made it clear that whatever it was, they didn't even have that kind of money.

Eventually, they learned that their external backup systems were never touched. The information regarding students and employees. As far as they know, were not touched. And by the end of the week, they ended up restoring the system.

JS: So their response seems really effective. Were you at all surprised that they were able to handle this kind of attack.

PD: What I was most surprised about is the amount that he said they were demanding. Which, you know, prompted the next question, which was do they know what they're asking for? Because clearly, if that's the number that they ask for. It's just ridiculous. It doesn't seem very effective to ask for a ransom that's impossible.

So now, you know, after really doing a little reading on ransomware, from what I understand, I mean, they've taken down like municipalities, hundreds of thousands of people, you know. So in hindsight, yes, I suppose I'm slightly surprised. It seemed very efficient. They did very well. And good for them. You know, in a way, it's a it's a happy ending.

JS: Do you think that smaller school districts like Havre face a larger threat from cyber attacks due to their size, and sometimes, though not in this case it seems, lack of resources?

PD: I would imagine lack of resources may play a role. They seem to do pretty well here. This is not indiscriminate. This in this case, it seemed very nondiscriminatory. So that tells me that, you know, anybody can be a victim. And it looked like what they did is they found an entry point. They found, you know, a weak point and they got in. And as far as I'd imagine, resources play a role. But it seems to be like the thing that that really save them is they moved quickly. They got the right people involved. Sounds like their insurance played a role. They have cyber security insurance. I think that's a vital point to make. And all those all those factors came together and it really helped them get out of this pickle.

JS: Do you know if Havre school district is taking any steps to prevent something similar to this happening in the future?

PD: Yes, they are implementing EDR systems, end point detection, response technology. And basically it just looks like a monitoring and alert system. And the point of that is basically to to analyze, to patrol, cyber patrol and look into what's coming in and going out. And, you know, if need be for my understanding, it will alert the system or the network and obviously the eyes on the screen that there's something going on.

JS: Well, thank you so much for sharing your reporting with Yellowstone Public Radio.

PD: Yeah. Thank you.

Copyright 2020 Yellowstone Public Radio. To see more, visit Yellowstone Public Radio.