New information has emerged about the recent cyberattack that targeted Regina Public Schools, forcing it to shut down all internet-based systems such as email and other education tools.
CBC News has reviewed a copy of a note that has appeared on computers that were part of the school district’s network.
The note says it is from an organization called BlackCat/ALPHV, which experts say is well known for employing ransomware attacks.
The note alleges that 500 gigabytes of files belonging to Regina Public Schools have been encrypted and that the group now possesses copies of data ranging from tax reports and health information to passports and social security numbers.
“I think it’s a serious breach. There’s no doubt about it,” said Alec Couros, a professor of educational technology and media at the University of Regina.
What is ransomware?
David Shipley, a cybersecurity expert based in New Brunswick, told CBC News that ransomware is the number one threat to organizations that operate in the digital world.
Ransomware is malicious software that encrypts data and allows the information to be held ransom. The person or group behind the attack then offers to reverse the encryption in exchange for cash or, more commonly these days, cryptocurrency.
“It can also be used to cripple devices and make it just impossible to use the IT systems of a modern organization. It grinds any organization, whether it’s a business, a hospital, a school, to a complete halt,” Shipley said on Friday.
Ransomware can make its way into an organization’s systems in multiple ways, Shipley said.
They can include phishing emails that trick someone into providing access, unsecured remote access to the network or unpatched servers and systems.
Although the school division has said the attack began on Sunday, it has stated how it began.
6:38The battle against ransomware
BlackCat/ALPHV is a criminal gang previously known as DarkSide, which famously shut down a U.S. pipeline last year.
The response to that cyberattack and the attention it drew has meant rebranding for the organization, which operates on a global scale.
“They’ve got a sophisticated business model, and they’re brutal at what they do,” said Shipley, who describes BlackCat/ALPHV as well-financed and well-resourced.
As of March, the FBI reported the organization had compromised at least 60 entities worldwide through ransomware attacks.
Fears from teachers
The cyberattack against Regina Public Schools has many teachers worried about what kind of data has been exposed, according to the Patrick Maze, president of the Saskatchewan Teachers’ Federation.
“There are some concerns around confidential material potentially being breached,” said Maze.
“We know that there’s lots of student data that school divisions maintain and we know there’s also, of course, personnel data … that would contain financial information and personal confidential information”
The impact on day-to-day teaching is hard to assess. Many of the online tools that teachers became reliant on over the course of the pandemic and remote learning are now gone.
The attack could not have come at a worse time. The school year is ending in Saskatchewan and that means grading is due soon.
Online systems that store grades or allow teachers to record progress are not currently available. Even the program for attendance is offline, forcing teachers to go back to pen and paper.
“It’s a difficult time for staff and we just hope that they’re able to get through this and preserve as much student work and conduct final assessments as efficiently as possible,” Maze said.
What happens now?
Shipley said the school district did the right thing by immediately isolating and shutting down its online systems in an attempt to limit the scale of the attack.
The school division has limited options to get its data back, Shipley and Couros said. Shipley stressed that even if the ransom is paid, there is never a guarantee the data will be turned over.
Other options include rebuilding the entire network off of backups — something that the City of Saint John chose to do in 2020 instead of paying the ransom, estimated to be between $17 million and $20 million worth of Bitcoin.
Shipley said the timeline for rebuilding networks from backups can be weeks or months. Couros said criminal organizations can set long-term deadlines or threaten to delete or leak the information on a short deadline.
“That puts a lot of pressure to to act quickly, especially if it is a credible threat, and it makes it very difficult to find out exactly what’s been taken, because you may not know the full extent of the penetration into your systems,” said Couros.
Only Regina Public Schools and the cybersecurity experts they have brought in to assist know what solution they’ve chosen and what timeline they’ve been given by the criminal organization.
Multiple requests for comment with Regina Public Schools left throughout this week have not been returned.