Education

How a Seattle-area school district recovered from a ransomware attack

Network administrators from the Northshore School District, outside Seattle, shared how the district recovered from a 2019 ransomware attack.

By Lindsay McKenzie

August 16, 2022

Five scullers in single racing shells practicing on the calm waters of Lake Washington at dawn in Seattle. (Getty Images)

The Northshore School District, appropriately located on the northern shore of Lake Washington, near Seattle, was the victim of a major cyberattack in 2019.

The incident made national news, headlines that Jon Wiederspan, the district’s network operations manager, said Tuesday still haunt him nearly three years on.

“We first found out about [the attack] at 5 a.m. on a Saturday and we had scheduled an update to our student information system,” Wiederspan said during an online event hosted by the K12 Security Information Exchange. “When the system analysts logged in, the student information system wasn’t there. Instead, there was a page advertising Ryuk.”

Ryuk is a prominent type of ransomware that first cropped up in 2018, quickly building a reputation for targeting government, education and health-sector entities worldwide, racking up $150 million in payments by the end of 2020. (The gang behind the Ryuk malware followed it with another ransomware known as Conti.)

“In cases like this, it’s my job to decide who needs to be woken up. In this case, it was absolutely everybody,” Wiederspan said. “It’s not fun to call your supervisor and say, ‘we think everything is down.'”

As a result of the 2019 incident, many of the Northshore School District’s Windows-based systems were rendered non-operational. Luckily, Wiederspan said, some key resources were running on Linux servers. E-mail and student file storage were also unaffected.

Though many of the tools required for instruction were still operational, Wiederspan said he and his colleagues “knew the damage behind the scenes,” like the system used for sales in school cafeterias.

“We serve 10,000 meals a day,” he said. “We were tracking them by hand for two weeks.”

It took about three weeks to repair access to critical services, including rebuilding the entire active directory domain and restoring file permissions on a server with “millions” of files, Wiederspan said. It would take another three-and-a-half months for the school district to completely recover from the attack.

The school district’s insurer also sent in a group of contractors to oversee the IT recovery, and later another company to conduct a more thorough review. Wiederspan said that assessment, based on the Center for Internet Security’s set of common control, was “a little humbling.”

“There was work in every area that needed to be done to help us avoid this having this happen again,” he said.

Wiederspan said he and his colleagues tackled the easy stuff first. They forced all staff to change their passwords and used guidelines, developed by the National Institute of Standards and Technology, to ensure passwords were more difficult to break. They also deployed better antivirus software, and Wiederspan was able to hire a network security engineer — a position he had lobbied to hire since 2015.

While those simple steps can significantly reduce the risk of a future attack, they are not failsafes. Alexander Delgadillo, the security engineer Wiederspan brought aboard, said administrators and staff are put through routine anti-phishing exercises.

“After high-profile incidents, there’s a period of time when you have a lot of attention — everyone wants to make sure this won’t happen again, but people’s attention starts getting dragged away to other issues,” Wiederspan said. “We have lowered our risk significantly — to the point where I can sleep at night, but the risk still stays after attention has died way down.”