The San Felipe Del Rio Consolidated Independent School District is recovering from a recent cybersecurity attack.
The school district was attacked by a malware known as RYUK early Saturday morning, according to a press release. The malware is a type of crypto-ransomware that uses encryption to block access to a system, device or file until a ransom is paid.
“We have not identified a true location where it’s coming from; we do have some areas we’re looking into,” Chief Operations Officer Les Hayenga said.
The malware is often dropped into a system by other malware or gains access to a system by remote desktop services. The malware affected some of the district’s servers providing storage for district’s network shares and printer servers, according to the school district.
“Within an hour (of the attack) we had boots on the ground and we were starting to engage in the situation,” Hayenga said.
The malware could attack any computer and is designed to attack government agencies. Without the proper anti-virus protection, the school district would’ve been in a worse scenario if it had taken place sooner, according to Hayenga.
During the time of attack, the school district was two weeks into deploying a cybersecurity solution, Hayenga said.
“That investment helped tremendously in reducing the risk and the impact it had on us,” Hayenga said.
“We were two-thirds of the way on our deployment for our cybersecurity solution … We were two weeks into the deployment right toward the end when this happened,” Hayenga said.
“The SFDRCISD Technology team coordinated efforts with Dell cybersecurity engineers and response teams on Saturday to efficiently assess what was not working and collaborated with the FBI to identify whether a breach involving sensitive, protected, or confidential information had occurred. Once the issue was identified, all teams immediately began the full restoration process of the affected servers,” the district said.
Hayenga set into motion the school district’s cybersecurity plan, allowing the technology team to isolate the malware and secure the district’s cyber infrastructure against any further risks.
As the restoration of the district’s cyber infrastructure continues, Hayenga added personally identifiable information of staff and students was not exposed to risk.
“It’s a fluid situation that we’re working through, but we feel at this point it has been contained,” Hayenga said.
Hayenga added as restoration continues cyber infrastructure is updating each hour, with some services still offline or with limited access to some district campuses or departments.
“Since Saturday, we’ve been able to bring things back online a lot of our main systems that are used to function. That’s allowed us to bring up our critical systems of fire alarm systems, intercoms, all of our communications; e-mails, phone, all the things that we need to operate school and be safe about it,” Hayenga said.
By Monday, the technology team was still restoring the cyber infrastructure. Superintendent Dr. Carlos Rios previously said full restoration would take a few hours to a few days.
School district personnel were advised to follow protocol, such as contacting the IT department with questions and to not install personal items onto the school system, according to Rios.
“We took the opportunity just to remind them (school staff), not that we feel the virus entered through any one of those methods that we indicated, but just out of abundance of caution. We also mentioned, even though we have no reason to believe any personal information was compromised, we did encourage them to monitor their bank accounts; that’s just out of caution,” Rios said.
Everything will continue as normal within the school district, according to Superintendent Dr. Carlos Rios.
“To say that in two days, all of this will be forgotten is probably not accurate. But, there’s definitely a path in restoring all of it. We’re confident in the technical skills of our entire technology department and the partners we have,” Rios said.
There is no sign of the district’s cyber infrastructure serving as a host for the malware, according to Chief Operations Officer Les Hayenga. “We’re constantly monitoring our firewalls and our internet traffic right now,” Hayenga said.
“This is obviously not a pleasant situation, but there is a silver lining; just being aware that if this was to happen again, we have both the infrastructure, the personnel and the industry partners to combat this to where there is a minimal effect, considering how serious of an effect it could’ve been,” Superintendent Dr. Carlos Rios said.
Hayenga serves as the coordinator between the district and Texas Education Agency in cybersecurity matters, according to the press release.