LAUSD

What to Know About the LAUSD Ransomware Attack

The LAUSD has set up a hotline for parents with questions after student, staff and business files taken in a failed ransomware attack began to appear on the dark web.

NBCUniversal Media, LLC

Thousands of files apparently stolen last month in a ransomware attack on the Los Angeles Unified School District were released on the dark web over the weekend.

The threat has been a major concern for the nation's second-largest school district since Labor Day Weekend, when a cyber intrusion forced school district officials to take the extraordinary step of shutting down most of its computer systems and ask students and staff to reset their district passwords.

The ransomware gang posted last week that it intended to release the stolen files on Tuesday, then later posted an updated message with a link to the files.

The Vice Society site included a message Sunday that said, "CISA wasted our time, we waste CISA reputation," near a link to download the LAUSD files. CISA is the acronym for the federal cyber-security agency that published a national warning in early September about Vice Society targeting educational institutions.

Here's what to know about the attack, release of the files and what parents should do about it.

What kind of LAUSD files were made public?

The files made public on the Vice Society group's known website included some confidential psychological assessments of students, contract and legal documents, business records, and numerous database entries, according to a law enforcement source familiar with the investigation.

Some of the data appeared to contain personal identifying information, including some social security numbers, the source said.

The attack temporarily interfered with the LAUSD website and email system, but district officials said at the time that employee health care and payroll were not affected, nor did the hack impact safety and emergency mechanisms in place at schools.

In a press conference Monday, Los Angeles Unified School District Superintendent Alberto Carvalho said that about two-thirds of the files that were uploaded have been reviewed. He said that at this time they have not found any evidence that there is widespread employee information that has released.

"Our assumptions regarding what this data included, have been prove to be correct assumptions. We have not seen widespread evidence," Carvalho said.

He also explained that they do not believe that any critical student information was released such as psychological reports. A lot of the information appears to have come from older data sets.

Carvalho explained that the district's level of concern has de-escalated at this point after agencies have reviewed files that were released.

Following the hack, the district contacted federal officials, prompting the White House to mobilize a response from the U.S. Department of Education, the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, according to the LAUSD.

Did the LAUSD respond to the group's ransom demand?

Los Angeles Unified School District Superintendent Alberto Carvalho called the ransom demands "absurd" and "insulting," according to a report in the Los Angeles Times.

"We can acknowledge … that there has been communication from this actor (hacker) and we have been responsive without engaging in any type of negotiations," he earlier told reporters. "With that said, we can acknowledge at this point… that a financial demand has been made by this entity. We have not responded to that demand."

He did not provide specifics about the demand.

"What I can tell you is that the demand -- any demand -- would be absurd," he told the Times. "But this level of demand was, quite frankly, insulting. And we're not about to enter into negotiations with that type of entity."

In a tweet Monday morning, Carvalho said, "I understand there will be many opinions on this matter but, simply said, negotiating with cybercriminals attempting to extort education dollars from our kids, teachers, and staff will never be a justifiable option. LAUSD refuses to pay ransom."

In a press conference Monday, Carvalho emphasized that the district did not entertain any negotiations.

What should parents of LAUSD students do?

Carvalho tweeted a statement on behalf of the school district in response to the posts that included a hotline parents and staff can call with questions.

"Thank you to our students, families and employees for doing their part in the ongoing recovery from this cyberattack," Carvalho said. "We have set up a hotline, available starting tomorrow morning at 6 a.m. PT. This hotline will assist those from our school communities who may have questions or need additional support."

The hotline is available between 6 a.m. and 3:30 p.m. PT, Monday through Friday, by calling 855-926-1129.

In a statement Friday, the district said updates will be provided when they receive "relevant information."

"To our school community and partners, we will update you when we have relevant information and notify you if you personal information is impacted, as appropriate," the district said. "We also expect to provide credit monitoring services, as appropriate, to impacted individuals.

"Los Angeles Unified remains firm that dollars must be used to fund students and education. Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services."

A dark web and international cybercrime expert talks with NBC4 about what the dark web is and why attacks on schools are becoming so popular.

What is a ransomware attack?

ransomware extortion attack in Albuquerque’s biggest school district forced schools to close for two days in January. That district's superintendent said the shift to remote learning during the pandemic offered more ways for hackers to access the district’s system.

Ransomware cost American victims an estimated $1.4 billion in 2020, the first year of the pandemic. The attacks usually involve hackers breaking into private computer systems in an effort to encrypt or sometimes steal files to hold for ransom.

"It's happening becuase there's this sort of other internet that's out there," said cybercrime expert Chris Mattmann. "It's called the dark web. It's existed for almost a decade. It was invented by the Department of Defense. As with a lot of great tools that have a noble purpose, it can be re-purposed in bad ways."

Hacked data stolen from school systems and other entities is then placed on the dark web.

"The dark web isn't crawled or scanned like Google as often," said Mattmann. "It's not the broad scale internet that normal search engines search.

"Because of that, it provides a good forum for them to hide things to sell and trade in wares."

Contact Us