Credit: Tim Evans | MPR News file

Minneapolis Public Schools issued a statement Wednesday afternoon noting that “threat actors” behind an “encryption virus” that shut down many district systems for more than a week could try to coerce the district into paying a ransom to protect data.

However, the district said it has not paid a ransom and that an investigation has not found evidence that any fraud has been committed as a result of the incident.

“The ongoing investigation has determined that an unauthorized threat actor may have been able to access certain data located within the MPS [Minneapolis Public Schools] environment,” said the district’s written statement. “The threat actors may contact employees or staff in an attempt to coerce MPS to pay a ransom.”

The email to families marks the first time the district publicly acknowledged that what it calls an “encryption event” may be connected to a ransom request. It also acknowledged for the first time that external players may have accessed district data.

The district said it will contact affected individuals if it finds that their information was compromised. In the meantime, it encouraged families and staff to refrain from interacting with suspicious emails and phone calls and to monitor financial accounts and credit reports. 

It also recommended that families and staff change passwords “for any personal accounts that you may have accessed on MPS devices.” Threats and suspicious activity should be reported to the district at privacy@mpls.k12.mn.us

The district did not specify what data could have been accessed, but said it’s working with law enforcement on the ongoing investigation. It also noted that third-party “computer specialists” were tapped by the district to assess the incident and to help district information technology staff restore the district’s computer systems with information that had been backed up.

The district first reported “technical difficulties” on the evening of February 20, canceling scheduled parent-teacher conferences and Minneapolis Kids child care for the following day. Then the district announced it would hold three days of e-learning for February 22-24, citing an impending snowstorm. Due to a fluke of timing, the technical issues did not cause any missed instructional days; programs needed for e-learning still worked. 

On February 24, the district announced that the technical issues were caused by an “encryption event,” but did not provide more specifics.

“I can’t think of anything an ‘encryption event’ could be besides a ransomware attack,” said Brett Callow, a threat analyst for the cybersecurity firm Emsisoft.

Students returned to school on February 27. However, at some schools the password reset process took several days. And several teachers told Sahan Journal on Wednesday that they are still locked out of the programs they need to access attendance, grades, and family contact information. Some are also struggling with printing.

Education Minnesota, the statewide educators union, said it provides a free identity theft recovery plan to all its members, including those in the Minneapolis Federation of Teachers and Education Support Professionals. 

At least 45 school districts nationwide were “impacted by ransomware” in 2022, according to a report from Emsisoft. One of those districts was the Elk River School District 30 miles northwest of Minneapolis. Larger urban districts were targeted too, including the Los Angeles Unified School District—the second largest district in the country. Of those 45 cases, three reportedly paid a ransom.

What is ransomware? Why are school districts being targeted? And what steps should you take if your school district is impacted by ransomware? 

Sahan Journal spoke with Cliff Steinhauer, the director of information security and engagement at the National Cybersecurity Alliance, to learn about this growing problem and how you can protect yourself. The alliance is a nonprofit based in Washington, D.C., that advocates for the safe use of technology.

This conversation with Steinhauer has been edited for length and clarity.

To start, can you just give us a definition: what is ransomware?

Ransomware is a type of malware that encrypts the files on a system, making them inaccessible to the user and typically a ransomware virus or malware will ask for payment for encryption key that you can enter to decrypt your files. So, it’s a very common type of attack that we’ve been seeing over the past several years that targets organizations to try to get money from them. 

There’s another aspect to ransomware where extortion could be part of it. For example, if they have a backup of their data, they’re able to restore their systems without paying for the encryption key. The threat actor could come back and say, “We’re going to publicize the data that we took from you unless you pay us the ransom.” So, there’s a two-pronged threat to it.

Is it safe to say at this point that this is what happened here?

I can’t comment for sure, but I’ve never heard of an encryption event or an encryption problem before in terms of impacting a system like this that wasn’t ransomware.

Why are people trying to get ransom from schools? 

Threat actors will target systems that they know are critical to be operating. So, for example, hospitals, schools, or other critical infrastructure. They know it’s important for the school to operate, just like it’s critical for a hospital to be able to operate. 

So, the idea is that the availability of that system is super, super important. And they believe that by targeting that type of organization, they’re most likely to be paid because it may be the quickest way to get the system back online.

So they sort of expect that people will feel an urgency about getting this fixed, and therefore they see a higher likelihood of receiving a ransom.

Correct.

In this case, it seems like there was some sort of malware that encrypted a lot of data from Minneapolis Public Schools. They had to restore it from backups. And now they’re saying it’s an encryption virus and they didn’t pay the ransom. So, what does all of this mean for the personal information of staff and families and students?

They haven’t indicated what data, if any, was accessed yet. So, we don’t really know that until they complete their investigation. And I will say that the priority of a team like this would be to restore the system primarily, make sure the malware is out of the system. And when they do their forensic analysis, they will look for locations of what data was accessed and what data may have been taken. 

Depending on the sensitivity of that data, it becomes, whose data was it? What was the data, and then how do we notify people about what to do? So, it’s a little early to say what it could mean.

I think the best thing to do is to just be vigilant. One thing that [the district] said was, if you used school system technology to access an account, you may want to consider resetting the password on that account. Think about what accounts are accessed using school systems. Start there with the most important accounts and reset passwords and go from there. 

They do mention potential phishing and social engineering scams. So, that’s where you want to watch out for somebody contacting you looking for account information or your personal information to potentially fill in gaps in data that they may already have.

A lot of times with a breach like this, you’ve got threat actors receiving data and they may or may not have complete access to what they’re looking for. We really have to wait and see.

So, it sounds like part of the issue with phishing is, if you’re a “threat actor” and you have some partial information, but you know you could do more damage with additional information, you could reach out to individuals to try to get a complete picture.

Exactly. So, they can create a phishing email that links to a fake login page to try to get your password. There’s a good chance with most systems that email addresses are part of the data that’s accessed, so it’s easy to send emails to the victims.

Some things you can do to try to mitigate those: 

  • Be wary of emails with links from entities that you don’t know or don’t recognize. 
  • Turning on multi-factor authentication on your accounts, so that if a threat actor were to get your password, there would be an extra layer of protection in there—requiring you to enter a secondary code to get into your account.
  • Making sure that you’re not reusing passwords across different websites, and that your passwords are long and complex and unique. If a threat actor gets your password to one website, they’re likely to try that password on other websites using the same email address. So, it’s important to have unique and complex passwords that aren’t easily guessed and that aren’t reused.

How will people know if their information has been compromised?

It can be hard to know. There’s a website I like called haveibeenpwned.com. You can put in your email and find out if you’re in a published data breach. There are other ways such as identity theft monitoring. There’s some identity theft monitoring that has what they call dark web monitoring, so they’ll alert you if they see an account posted on the dark web. 

You may see unusual login activity. You might get an email that says, “Was this you? Are you logging in from this location that you don’t normally log into?” You may see social media account activity that you didn’t actually post, or your friends might be telling you that something’s going on with your social media accounts.

There’s a lot of different ways that you may be made aware. There’s also the fact that you may not know for a long time, because these threat actors could post the list and it may not get used for quite a while until somebody picks it up and decides to do something with it. So, just being vigilant on your accounts and watching out for notifications that would let you know that something’s going on.

Let’s talk about the timeline. How long does it usually take before information might be posted on the dark web? What sort of timeline should people expect for what happens next and when they should be vigilant?

I would say everybody involved should be vigilant right away. Keep an eye on your accounts. And if anything looks unusual, be sure to report it and try to mitigate that as soon as possible.

Threat actors know that time is of the essence. When they get good information, they’re likely to act on it quickly because they know that alerts get sent out and activity is seen.

Again, I would say anything that you accessed with a system linked to this is a potential issue. So, if you were accessing your bank account on a school computer, for example, you may want to go ahead and reset the password on your bank account, for social media, and so on and so forth. 

But it is a little bit soon to know. because we don’t know what was on the systems that were accessed, and what those systems might have on them.

What kind of timeline do you think is reasonable to expect for the district to complete its investigation and let people know what’s going on?

That can really vary on a lot of things. It can take a long time.

I think making sure that your accounts are locked down and following best practices of two-factor authentication, changing passwords, and just watching for unusual activity on your accounts are the best thing that people can do right now to ensure they’re safe.

They may not know everything that happened. That’s likely the case. Threat actors cover their tracks, they delete the logs. They have ways to make it very, very difficult to figure out what they accessed or how they did what they did. So, it can be a really difficult thing to actually unpack everything that might have happened.

If you’re a Minneapolis staffer or student or parent, what should you be doing right now if you think your information may have been compromised?

  • Update your passwords. Be sure they’re strong and unique. 
  • Turn on multi-factor authentication.
  • Watch your accounts. Watch for activity on your accounts, your social media, your email, anything like that. Any unusual requests for your login information and things like that should be treated with extra skepticism right now, especially systems and accounts that were accessed using school technology.

What steps should other school districts be taking to make sure this doesn’t happen to them?

Going through your incident response program, making sure that you’ve tested it. Tabletop exercises are a great way to do that. Making sure that you have strong backups, that you can restore from your backup. Making sure that long and unique passwords are required to access your critical systems. Two-factor authentication being turned on for access to your systems. 

Antivirus software on your endpoints. Keeping your printing systems and software up-to-date. Making sure that you’re not using “end of life” hardware or anything that doesn’t receive security updates anymore. Regularly testing your environment to make sure that you are aware of where your data is and that it’s backed up and that it’s protected.

Why do you think this happens so often? What needs to be done to address this problem at more of a macro level?

The truth is security is really, really hard for everybody. Especially for organizations that aren’t as well funded as, for example, large banks who have the funds to run very, very robust cybersecurity programs.

The National Cybersecurity Alliance has a lot of advice on our website, staysafeonline.org, with some of the things that small- and medium-sized businesses should be doing to protect themselves.

A lot of them are going to say things we’ve been talking about, like using multi-factor authentication, making sure your data is backed up, strong and unique passwords, and keeping your software updated. Those are some of the basic things that are going to raise the bar for most organizations. 

The truth is that threat actors are always looking to find new victims. They’re well-run businesses, effectively, who, to make money, need to continue to fund whatever they’re funding. And this threat isn’t going away anytime soon.

Becky Z. Dernbach is the education reporter for Sahan Journal. Becky graduated from Carleton College in 2008, just in time for the economy to crash. She worked many jobs before going into journalism, including...