students and parents

Monday, May 15th, 2017

Technical Services Cyber-Attack Report

Computer Screen

Hacking Protocol Addressed

As everyone is aware our network was one of the many systems that fell victim to last Friday’s worldwide cyber-attack. Fortunately, the Technical Services team responded quickly and took the proper steps to protect the vast majority of the districts data. Their quick and accurate response minimized data loss and prevented what could have been a large scale technology disaster.  Below is a synopsis of the chain of events that went into motion once we became aware of the virus.

  • Early Friday morning our server engineer observed an issue with one of the Exchange email servers. He remotely logged in and quickly found the server had been infected with the Wanna Encryption virus. Our team confirmed the virus was on other computers.
  • The virus was crafted to attack certain Windows operating systems, therefore the district’s iPads, Chromebooks, and other devices that do not use Windows were not affected, only PC’s.
  • Not knowing how the virus was delivered and also not understanding what mechanism it used to spread, we decided to disconnect our internet access district wide.
  • Our next step was to isolate all of our critical backup data stored at our Data Recovery Center which is located at the Communication Building (Tower Site). Around 8:00am we disconnected the link to this site. Also as a preventative measure, we took all of our close to 500 servers offline.
  • After taking steps to minimize the chances of the virus spreading, we began accessing the damages and planning best practices in restoring services. Our server engineer was focused on evaluating servers and the network team began researching the actual virus.
  • Several of our servers were found to be affected. Friday we started the process of cleaning out the virus and then restoring data to the servers. This process continued through Saturday and Sunday. 
  • Late Friday our research pointed us to a Microsoft Windows security patch that should prevent the virus from being installed. We tested this patch on Friday evening and planned the deployment method.
  • Early Saturday we brought in several computer technicians and network technicians to start deployment of the patch. Installing patches on three computers per facility would allow our system then to automatically push out the patch to the remaining computers.
  • Early Sunday we became aware of the discovery of the “Killswitch." A Cybersecurity researcher in the UK with help of Darrin Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software. He registered a Domain Name the software was pointed to. Once the malicious software was able to reach this Domain it would stop spreading. Since our internet was still offline our computers were not able to take advantage of the Killswitch. Our team spoofed this Domain Name and entered it into our Domain Name Server which prevented the virus from spreading while the internet was down.
  • By early Monday morning we had restored the majority of services including Internet, Email, Munis and Skyward.
  • We have intentionally restricted all Private Network Folders to be “read only” to protect files for any computers with the Virus. Users can copy a file from their Private Network Folders and work with the file on their local computer until write access is restored.
  • Our next focus for this week will be will be to gather data on how many and which computers were affected and to begin the cleanup process of all affected computers. This will involve completely removing the virus and all encrypted files. It could also include a complete reimage of the computer. Depending on the number of computers infected, this process could carry through to next week.
  • When all services are restored and things are back to normal, our team will have an internal meeting to discuss and review how we responded to the crisis. We will also review what measures could be taken to prevent any future attacks. We will study our current processes to see where we can improve.