The recovery from a cybersecurity attack on the San Felipe Del Rio Consolidated Independent School District’s servers continues, but administrators admit that the system has not yet been fully restored.
“We literally fight thousands of hits every hour, but as we were doing a cybersecurity migration on Feb. 8, one of them got through. Fortunately, we had technical resources that were already engaged in the system, they identified it and started making some calls,” school district Chief Operations Officer Les Hayenga said during Monday’s regular meeting of the board of trustees.
The school district was hit by the RYUK malware, a ransomware that encrypts and blocks access to a system, device or file until a ransom is paid.
Through the district’s review process a ransom note was not found, according to Hayenga. “Typically there is a ransom note that would come up on the computer screens,” Hayenga said.
A consultant identified the malware infiltration approximately between 2:30-3 a.m. on Feb. 8 and contacted Hayenga. From there, the superintendent, board of trustees, Texas Association of School Boards and others were notified of the situation, according to Hayenga.
“Time was of the essence when this happened,” Hayenga said.
Known infected areas were immediately disconnected, according to Hayenga, who added that the anti-virus the school district uses prevented the malware from being fully executed.
Four locations were identified as high risk and were disconnected from the internet; further investigation led to the removal of high risk computers from the network, according to Hayenga.
“As we identified some that didn’t have the protection, we disconnected them from the servers,” Hayenga said.
The attack left active directory infrastructure, support servers, specifically domain controllers; network file storage, specifically staff and student folders; district printing services, district computer labs, specifically virtual desktops; internal I.T. management systems and approximately 300 workstations unavailable to district employees and students throughout the week, according to Hayenga.
Current systems still pending, at the time of the meeting, were student V and T drives, network file storage for staff, approximately 150 workstations and internal I.T. management systems, according to Hayenga. V and T drives are storage spaces within computers and access data.
Recovery for the pending items was estimated at 280 hours in total, Hayenga said. No timeline in terms of days or weeks was specified.
San Felipe Del Rio Consolidated Independent School District Board of Trustees President Raymond P. Meza asked if the attack affected the robotics team, Team 4063 also known as the “Bunnies” and TrikZr4Kidz.
The robotics team is located in the Gerardo J. Maldonado Career and Technical Education Center, and the V and T drives are primarily used by students at that building.
Hayenga did not know how much this affected the robotics team and added he was meeting with Career and Technical Education Director Roger Gonzalez later on.
Board member Alfredo Contreras asked if an outside auditor will come in and inspect the district’s firewalls, weaknesses and so forth.
Many vendors across the state have contacted the school district, but have not been acted upon. According to Superintendent Dr. Carlos Rios, Hayenga would need 30-45 days before providing a recommendation to board members.