Crypto-ransomware attack encrypts entire New Jersey school district network

A New Jersey school district was hit with crypto-ransomware, bringing out the feds to investigate and holding up the computerized PARCC exams. Oddly, reported ransom amounts range from $500 in bitcoins to 500 bitcoins worth about $124,000.

New Jersey school district Swedesboro-Woolwich is a victim of crypto-ransomware.

When Swedesboro-Woolwich school district, which has four elementary schools with a total of about 2,000 students, was hit with crypto-ransomware, big guns showed up to investigate. After the district's network was locked up due to ransomware on March 22, the local Woolwich Police, the New Jersey State Police Cyber Crimes Unit, the FBI and Homeland Security are all investigating.

In an announcement about the malware, the school district said:

Forensic analysis is being performed by the NJ State police. At this point there appears to be no data breach. The files affected were mainly Word documents, Excel spreadsheets and .pdf files created by staff members. Data for the student information system as well as other applications is [sic] stored offsite on hosted servers and was not affected by the virus.

It's also thrown a kink in the school district's scheduled Partnership for Assessment of Readiness for College and Careers (PARCC) exams, which are "high-quality, computer-based K–12 assessments in Mathematics and English Language Arts/Literacy." The crypto-ransomware "has affected the district's entire operations from internal and external communications to its point-of-sale for school lunches. It also has prevented any students from taking the scheduled PARCC exams, which are entirely computerized."

South Jersey Times first reported that Superintendent Terry Van Zoeren said, "There's basically no tech service happening in Swedesboro-Woolwich right now. Essentially our network has been taken over and has been made nonoperational."

"We are operating as if it's about 1981 again," Van Zoeren said. The network administrator received a message with complex directions to forward $500 in bitcoins -- a digital currency popular on underground online markets.

The school district wisely doesn't intend to pay the ransom and announced, "Encrypted files were restored from backup to their original state. Servers were restored to remove any trace of the malware. Email and other systems are being restored as quickly as possible."

Gloucester County Prosecutor Sean Dalton stated, "Certainly any breach of any public computer system, especially a school, is extremely serious and we're doing everything we can to assist the school district and identify the person or persons responsible."

Although the district plans to "pursue the culprits 'to the greatest extent possible,'" the feds are involved and the NJ State Police conducted forensics, is the demanded ransom $500 or 500 bitcoins? The first report said "$500 in bitcoins," yet South Jersey Times later said the ransom was "500 bitcoins." There's a huge difference, and now it's been reported both ways. If it is 500 bitcoins, then according the Coindesk's bitcoin price calculator, that's currently equal to $123,195.40.

If the ransomware's exorbitant extortion of 500 bitcoins is true, might that sound like a kid trying to get out of exams. Surely not, as $500 worth of bitcoins sounds the most 'normal.'

500 bitcoins would not be the highest ransom ever, but it's still crazy expensive. When the city of Detroit had its entire database encrypted and held for ransom, it chose not to pay the ransom of 2,000 bitcoins, which was about $800,000 at that time. Other examples of ransom amounts include CryptoWall, which cost $500 when a Tennessee sheriff's office opted to pay the ransom. The next few are quoted at the bitcoin price when the malware was reported; since it fluctuates it may not be accurate as of today. CTB-Locker has a ransom of 3 bitcoins, about $650; BitCrypt demands a ransom of .4 bitcoins, about $230; CoinVault demands .5 bitcoins, about $188, and Simplocker demands about $200.

There's also no mention of what crypto-ransomware locked up the Swedesboro-Woolwich district or how it was infected. It could have been that someone opened a malicious email attachment or a malicious app, or even did nothing other than visit a website that had malicious advertisements like when people visiting Yahoo, AOL and The Atlantic were infected by CryptoWall 2.0. In February, Cisco Systems said CryptoWall 3.0 authors may plan on using more drive-by-downloads attacks to infect systems.

Perhaps the school district has restored all its files as The Republic reported that PARCC testing was delayed two days, but was scheduled to start today.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)