Doug Russell, the IT director for the city of Haverhill, was sleepless in the wee hours of April 8, which turned out to be fortunate. He caught an alert on his phone when the school district’s computer system suddenly crashed.
A former firefighter, he hopped in his red pickup to check out the district servers at City Hall. "We got in, we saw that, we realized what it was and we were like, 'Whoa,'" Russell said.
A ransomware demand popped up on a screen. There was no skull and crossbones: in very businesslike terms, the cyber attackers said they would unencrypt the schools' computers if a payment was made.
Bad actors in cyberspace have targeted public schools during the pandemic. The technology that has allowed so many students to continue their education at home after schools closed is also more susceptible to pitfalls like ransomware attacks. Federal officials at the Cybersecurity and Infrastructure Security Agency say that problem, once the scourge of hospitals, municipal governments and police operations, is reaching new heights in schools.
"We are definitely backs against the wall fighting against nation-state and other adversaries that are continually and persistently trying to infiltrate government and municipality networks," said Don Benack, deputy associate director of vulnerability management, part of the Department of Homeland Security.
Benack says the nation is in the midst of a ransomware explosion, as attackers who are part of sophisticated international crime rings with millions in assets seek out vulnerable systems. Even a person lacking tech savvy can go online and buy a ransomware hit.
"Kind of like going to McDonald's and ordering a Big Mac," he said. "You can go in an order of a ransomware attack and leverage it."
In addition to making it harder for federal officials to trace, a purchased ransomware attack outpaces places like Haverhill, where the biggest item on the City Council's recent agenda was a plan to install new sidewalks.
In Massachusetts, Springfield and Rockland have also fended off ransomware attacks — at least, ones that become public. Many aren't revealed because districts pay off a ransomware demand or have insurance that does.
Paul Foster, Springfield's IT director, said 25,000 students in his district lost a half day of school last October after a ransomware hack forced officials to send students home at midday. Foster said he and his staff scrambled to get backup systems running so students could return to remote learning the following day.
"In a pre-COVID environment, school systems wouldn't have been as valuable as targets, because, you know, to be honest, school systems were sort of behind the times on technology in many ways," he said.
The pandemic, Foster said, "probably made us juicy targets."
Doug Levin, national director of the K12 Security Information Exchange, a nonprofit that helps schools share cyberattack strategies, said more than 50 ransomware attacks on school districts were publicly reported in the United States last year.
"We're seeing large amounts of money being stolen from schools, extorted from schools," he said. "We are seeing schools having to be closed for a week or more because of cybersecurity incidents."
The latest twist is the theft and sale of data, leaving students and their parents to find out months after an attack that their personal information has been compromised.
"We're seeing data being stolen from school districts, not only of students, but of employees, and, in very short time, having that personally identifiable information being used for identity theft and credit fraud," Levin said.
That's occurred in cases where districts have paid the ransom.
Leslie Torres-Rodriguez, the school superintendent in Hartford, Conn., testified in December before the U.S. Senate Committee on Homeland Security and Governmental Affairs that an attack on her district was so debilitating the city needed help from the National Guard to recover.
The ransomware demand came on the district's first day back last fall and caused the reopening to be postponed. Seventy terrabytes — or about 600 iPhones' worth of storage — needed to be restored. Consultants were hired to speed the process, but thousands of students still had to go without devices for weeks. The district lost access to financial management software for more than two weeks, including payroll operations.
"We serve communities that have high concentrated levels of need," Torres-Rodriguez said, "and so every minute of every day matters to us in terms of having access to instruction."
In Leominster, officials paid a $10,000 ransom in Bitcoin to reopen its schools three years ago. Earlier this year, attackers demanded $40 million from Florida school officials in Broward County, the nation's sixth largest district.
Benack says the federal cybersecurity agency does not recommend paying a ransom. "Whether it's through an insurer or out of pocket. It just enables the ecosystem," he said.
IT experts say criminal hackers usually gain access to a system with a phishing attempt. It takes just one system user to click on a link that's not secure for access to be compromised.
A report last fall by the U.S. General Accountability Office on cyberattacks on schools found that educational institutions are putting students at risk. Student social security numbers were the second-most compromised information in cyberattacks, second to the theft of student grades and records.
In Haverhill, eighth-grader Keelin Russell got ice cream on a recent weekday, happy to be done with school in a year unlike any other. First, she was learning remotely during the pandemic, isolated from friends, then received news that a mysterious cyber threat had canceled classes altogether.
"We were weirded out that our [online] classrooms weren't working," she said.
Haverhill's IT officials, in consultation with the Superintendent Margaret Marotta and Mayor James J. Fiorentini, ignored the ransom request and reinstalled their backups.
IT staff were able to get students back to school in a day while beginning the long process of cleaning and reimaging thousands of computers, laptops, whiteboards and other devices.
"We're still dealing with it, we still got months of work to do," Russell said. "But the average person doesn't really see that now."
Editor's note: This story has been updated to clarify Don Benack's professional title.
