An Hour-By-Hour Account of One District’s Cyber Attack Nightmare
The first sign something was wrong came courtesy of an alert that Joel Handler received notifying him that his district’s Student Information System (SIS) was offline. It was 8:35 p.m. on April 11, 2021, and Hillsborough Township Public Schools’ spring break was coming to an end.
After receiving the alert, Handler, the district’s director of technology, and one of his staff members started trying to determine what was wrong with VPN access from their home computers.
At 9:15 p.m. the SIS came online and it was instantly clear that the district had a bigger problem than a web outage on its hands. Instead of the normal homesite, there was a message from hackers. The word “Ryuk,” the name of ransomware software inspired by a character in a popular manga series, was in the center of the screen, and in the bottom right corner of the screen were the cryptic words, “balance of a shadow universe.”
What followed was a whirlwind 24+ hour period during which Handler and his staff tried to work with law enforcement and school leaders to protect student information, minimize disruptions to teaching, and learn how to better prepare for the future.
Ever since this harrowing experience, Handler has shared the story in the hopes it will help other districts better prepare for the increasing risk of cyberattacks.
Here is an hour-by-hour look at how one district survived a cyberattack.
Before The Cyber Attack
Hillsborough Township Public Schools’ is a Central New Jersey suburban district with 7,350 students and 1,000 staff members spread across nine schools. At the time of the attack, Handler’s IT staff consisted of two systems engineers, one systems integrator, and one SIS database manager, as well as five field repair technicians. On the education side, the district had one technology integration coordinator and nine tech coaches.
During The Attack
9:15 p.m., April 11: Panic Mode!
Googling “Ryuk,” Handler learns it is ransomware software. “We start panicking,” Handler says. They start to try and assess the damage, but no school server is working and they worry that engaging any through VPN with their home computers will infect their home computers as well.
9:43 p.m., April 11: Sounding The Alarm
A little more than a half-hour into the crisis, Handler gets on the phone with the district’s business administrator and superintendent to bring them up to speed. The extent of the hack is still unclear at this point.
10-11 p.m., April 11: Pleas for Help and Damage Control
“We’re basically reaching out for help,” Handler says. “We don’t really know what to do to stop this.” Handler starts calling law enforcement agencies, including the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), the Multi-State Information Sharing Analysis Center (MS-ISAC), and the FBI, but since it is Sunday night, no one is answering. The state police do pick up and give him numbers for cybersecurity divisions and experts to call but when he does he still only gets voicemails. “Nobody’s there,” he says.
Meanwhile, the superintendent has started contacting Board of Education representatives, union leadership, and preparing community communications. The Business Administrator also calls the district’s cyber insurance policy holder and makes sure all the district’s bank accounts are frozen in case the hackers have gained access.
Team members begin to worry that the digitized HVAC systems at the schools might be compromised. “No one really thinks about this,” he says. “But all of our facilities, they're all interconnected. So are they attacking our schools with the intent to do physical damage?”
(Thankfully, this fear would turn out to be unfounded.)
12:15 a.m., April 12: Shut it Down
After a series of meetings with school officials, Handler hears from MS-ISAC and they advise him to shut down everything he can. “We went into the school, myself and one of my operations guys who lives in town, and we physically shut down our server, and that was one of the most eerie sounds I've ever heard.”
12:48 a.m., April 12: No School
School for April 12 is canceled and because all the digital tools the district uses are potentially compromised, thus virtual school is not an option.
1 a.m., April 12: Final Meeting of the Night/Early Morning
The district’s operations team holds its final meeting of the night and makes plans to further assess and address the damage for the following day.
6 a.m., April 12: Operations Team Meeting
A message from the hackers on the server has been found saying they will be in touch shortly.
6 a.m. to 11 p.m., April 12: Starting to Figure Out What Happened
Throughout the day, Handler and other school employees begin to start the recovery process. It’s determined that the hackers have not accessed personal devices connected to the school’s servers, but district-wide password resets are initiated. The district decides that the next day of school will be a virtual day, and Handler and his team are figuring out things as they go.
April 13-April 16: Virtual School and Analysis
The operations team focuses on an attack analysis and restore process. Restoration is a slow process that takes place server-by-server, and each server is hardened from a cybersecurity standpoint as it is reconnected.
April 19: In-Person School Resumes and Return to Normalcy
In-person school resumes and most services are fully restored. Handler and his team had determined early on, within the first 24 hours, that they had a stable full backup, so there was no need to consider paying the ransom to recover school data.
After The Attack
Lessons Learned
The process was long, difficult, and more multifaceted than could be summarized in this story but as operations returned to normalcy, Handler says they learned a number of important lessons – including ones you’d expect and others that are more surprising.
“As a tech director, I was in the middle of three different entities,” Handlers says. Law enforcement agencies were looking at the attack as a crime scene and didn’t want him to erase any data that could be helpful in tracking the origins of the attack.
Next, “My superintendent, the board of ed, they were like, ‘Let’s get the kids back in school,’” he says. “Finally, you had your business administrator and cyber insurance firm and they’re all like, ‘Get us back up and running without spending any money.’”
Educators who have the misfortune of finding themselves in this situation should, “Expect the unexpected,” Handler says. He adds it is vital to have a point person in charge of updating staff and the community, to let the IT team focus on fixing the problem.
Cause of The Outbreak And Changes Going Forward
“A student account was compromised on a gaming site or something out there,” Handler says. The student used their school login and username for that site and when it got compromised, the hackers used that information to log into the student’s school account. From there, they were able to infiltrate the system.
Since the attack, Hillsborough Township Public Schools has implemented a number of new updates to its cybersecurity procedures, including multifactor authentication requirements for all staff, implementation of endpoint detection and response, more phishing training efforts, and many other new interventions.
However, Handler also knows it’s important to have a plan for if these efforts fail, as no cybersecurity system is foolproof. Having set procedures in place ahead of time for when a district is the victim of a successful cyberattack can lessen the fog of war Handler and his district experienced.
“There's a lot of good stuff out there that talks about how to prevent ransomware attacks,” Handler says. “There’s no good playbooks out there for as the attack is happening.”
And as Handler knows from experience, you don’t want to be searching for those playbooks after hackers have successfully stormed the gates and are inside your network.
To share your feedback and ideas on this article, consider joining our Tech & Learning online community here.
