The malicious actors behind a ransomware attack against a school district in Texas attempted to extract payment this week with what one analyst said appears to be an entirely new tactic: emailing parents of students with a threat that if school officials do not pay up, their kids’ personal information may be published online.
“We have been reading news and watching the video in the news article … with feeling of frustration for how your EDUCATION PROVIDER care about your data and personal life,” reads the email. “We can understand that they try to fool us, but they do same effective with you.”
Allen ISD, which serves nearly 22,000 K-12 students about 30 miles north of Dallas, acknowledged Sept. 28 that it had been the victim of a ransomware breach that earlier in the month disrupted a handful of systems — including the GPS routing software that guides school buses — and brought an extortion attempt threatening the release of staff and students’ personal information on the open internet.
School officials have refused to pay the hackers’ demands, and have also told local media there’s no evidence its data was exfiltrated. But the direct communication with district employees and students’ parents is a chilling twist that may represent a new tactic in ransomware attacks against the education sector, said Doug Levin, national director of the K12 Security Information Exchange, a group that monitors cyberattacks against schools and issues policy recommendations.
“The notion that a threat actor is contacting parents is definitely a shift in tactics and escalation in how ransomware actors are trying to extort school districts in particular,” Levin told StateScoop. “This is a new tactic, and I don’t think this is something a school district ever anticipated. They’re put in a very hard position trying to reassure community members that all the data and information they have about students and families is safe.”
Ransomware criminals threatening to leak their victims’ sensitive information is a near-constant feature of attack, but those messages are typically received by a victim organization’s system administrators, not customers — in this case, parents of school-aged children, Levin said.
“[Allen ISD is] really between a rock and a hard place,” he said. “They don’t want to reward the criminal for this extortive behavior. At the same time, parents would probably encourage the district to do whatever it takes to protect the children.”
The message, which was sent Monday, also opens with a greeting of “Howdy,” an apparent acknowledgment by the hackers that their intended victims are in Texas.
“These threat actors will follow the media coverage about how the incident is being portrayed,” Levin said. “If the threat actors don’t feel like the district is fully truthful, misrepresented situation, they have been known to escalate.”
With the message to parents, though, Levin said this latest incident is partly reminiscent of misdeeds committed by the Dark Overlord hacking group, which targeted organizations — including U.S. school districts — by personally threatening to leak employees’, parents’ and students’ personal information. But those crimes were more about sowing chaos with law enforcement, whereas ransomware is financially motivated, Levin said.
But the message to Allen ISD parents is ominous, he added.
“It’s concerning and I can see how it might work,” Levin said. “The broad arc in school cybersecurity is that we are seeing threat actors catching schools in a really wide net, but it seems they’re targeting schools, doing research. This indicates some sophistication in finding points of leverage. When you’re threatening their kids’ safety, that’s going to create some waves.”