Grain Valley Schools Director of Technology JaMere Waddy was getting ready for church the first Sunday of last October when a call came in from a church that rents space at one of the district’s elementary schools, reporting that the Wi-Fi appeared to be down in the building.
“I ran up to the high school, took a look around, and discovered some things were down and having trouble coming back up,” Waddy said.
It was not exactly an ideal weekend for work trouble, as his church was celebrating an anniversary event and his daughter was celebrating a birthday the same day.
“So we went home after church, cut the cake and all that, and then I headed back up to the school for a couple hours to begin troubleshooting.”
It became clear in the proceeding hours that the district had been hit with a ransomware attack in the early morning hours on Sunday. As Waddy explains, the point is to disrupt systems and data in the hopes the company or organization will pay a ransom for the tools to resume operations. It was later determined the attack came from Russia, and ground zero was a simple click on a website that otherwise appeared innocuous.
“They hit you in the off hours. No one is here, and it is harder to follow alerts.”
“If they can get into your system, they will encrypt everything, and what they ask for is payment to send you the decrypter. What we were able to do is restore all of our data from copies of backups that we had. That is something that they are hoping you can’t do, but we were fortunate enough through just planning, that we had multiple copies of our data in different formats. So, they were able to decrypt some things, but not everything. Because of the size and the amount of data, it just takes some time and some shuffling.”
According to Emsisoft, a cybersecurity company which tracks ransomware attacks and publishes an annual report on their impacts on government, education, and health-care organizations, 89 education sector organizations were impacted by ransomware in 2022. Of the 89, 45 were school districts and 44 were colleges and universities.
According to the report, at least three organizations paid a demand, including the Glenn County Education Office in California, which paid $400,000.
Dr. Nick Gooch, Assistant Superintendent, Support Services, said the district’s cybersecurity insurance and the district’s team, led by Waddy, ensured the district did not incur any additional costs and did not need to consider paying the ransom.
“Thankfully, we have cybersecurity insurance. We notified our insurance agent, and they got us the support we needed through their various vendors for cybersecurity, and the cost was covered by our insurance,” Gooch said.
Avoiding the cost of restoring systems or paying out a ransom is one thing, but the cost in terms of productivity lost is real for impacted businesses and organizations. Attackers are betting that by crippling computers, phones, and printers, they can get businesses or organizations to pay.
“School districts are a prime target. They tend to be understaffed or lacking the tools in place. They are hoping they (school districts) don’t have a team able to restore what they have encrypted,” Waddy said.
“They’re hoping you press the “easy” button, fork over the cash, and say we don’t want to deal with this. Just give us the keys to fork over what you’ve encrypted and bring it back up.”
“When I made the initial phone call to our insurance group, I didn’t know what to expect, and the advice is to not expect anything for 10-14 days. We were ready in five. This team did miraculous things in a short period of time,” Gooch said.
Starting that Sunday, Waddy and his team pulled a couple of all-nighters in a row, restoring internet and going through the tedious processing of restoring all systems and data.
Waddy’s team included Network Administrator Tamarah Fisher, Systems Administrator Cory Williams, and Data Systems Administrator Courtney Lutes, along with a team of technicians that Waddy described as the “boots on the ground”, getting everything back up and running at each of the district’s buildings.
“We spent the next few days bringing as many systems back online as we could. It took phones and printers a couple of days,” Waddy said.
“Over the past few years, we’ve spent a great deal of time moving systems to the Cloud. Those things were fully functional. It was mainly just having teachers adjust on the fly.”
Waddy and his team pulled all-nighters that week, working through the process of restoring and rebuilding overnight so students and staff were not impacted.
“It’s interesting with tech. It’s almost like a house of cards, as in there are so many different pieces that have to work together. And when one thing changes or one things break, you have to identify the dozen other things it is tied to. At the same time, school is still in session, teachers are still teaching, students are still learning. So, it’s rebuilding the ship while still floating,” Waddy said.
“That’s really the bulk of the work. Until you shut something off, or until you change a password, there’s really no way to know what all something is tied to, because that was put in place well before any of us worked here. In a perfect world, there would be documentation as people leave and transition to other positions, but that’s not always the reality.”
Now that the long nights are through, Waddy can focus on the positives of the experience.
“It’s not ideal to do in the middle of a school year, but there are some changes that you would like to make but they are difficult to do because you don’t know what all they are tied to. In a situation like this, you have no choice but to intentionally break things and then fix them. So, a positive aspect of the experience is that if everything is down, that gives you an opportunity to change a lot of things you planned on changing anyway.”
“This was an opportunity, when the environment was brought down, to rebuild it with additional fortification. We have really been able to beef up overall security and protection. That is because of his (Waddy’s) work and some support we got along the way,” Gooch said.
Waddy was modest about his efforts, but quick to praise his team.
“My own kids go to this district. That’s the job. Technology never sleeps. If me staying up until 4:00am to fix something means that the doors will stay open the next day, that’s a no brainer.”
“I can say, and I know I am at risk of sounding like I am patting myself and my department on the back, but I can say that everything that we need to do to make sure this is our last attack, was already in place or in the works.”
“Technology is something that is constantly changing and there is never a point where we get something set up, and we can brush our hands and kick our feet up. However, there are so many things that you can do. As a decision maker, the focus becomes which ones are most important and which should we do first. Because we can do anything, but we can’t do everything. Something like this just puts everything into clear view and provides clarity of how to prioritize what projects we tackle and also the reassurance that we are heading in the right direction,” Waddy said.
The department’s work to fend off attacks extends beyond tech tools. Ongoing training with district staff and students is also key. Striking the balance between access to information and resources and ensuring security requires communication and tools in the hands of teachers to help mitigate risks.
“It’s a constant balancing act, to not allow too much, but to also not be too restrictive. One of the things we’ve done in the last few years, for instance, is a tool called GoGuardian that filters the students but also gives the teachers a level of control before it gets to the (technology) department,” Waddy said.
Teachers can test links to resources to ensure students can access materials safely. If a site they would like to access is blocked, there are internal processes in place for the technology department to review and grant access to links that are blocked by filters.
Waddy offers a few tips for staff, students, and parents:
Director of Technology JaMere Waddy and his team pulled many all-nighters to restore the district's systems following a ransomware attack in early October. Photo credit: Valley News staff