Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Large Florida School District Hit by Ransomware Attack

The computer system of one of the nation’s largest school districts was hacked by a criminal gang that encrypted district data and demanded $40 million in ransom or it would erase the files and post students’ and employees’ personal information online.

The computer system of one of the nation’s largest school districts was hacked by a criminal gang that encrypted district data and demanded $40 million in ransom or it would erase the files and post students’ and employees’ personal information online.

Broward County Public Schools said in a statement Thursday that there is no indication that any personal information has been stolen and that it made no extortion payment to the ransomware gang, which as an apparent pressure tactic last week posted screenshots of its online negotiations with the district to its site on the dark web.

The Fort Lauderdale-based district said it is working with cybersecurity experts “to investigate the incident and remediate affected systems. Efforts to restore all systems are underway and progressing well. We have no intention of paying a ransom.” The district did, after two weeks of back and forth, offer to pay $500,000, at which point the ransomware criminals apparently ended negotiations, according to the hackers’ screenshots.

The district declined further comment outside its statement. With 271,000 students, Broward is the nation’s sixth-largest school district with an annual budget of about $4 billion — a fact the hackers kept returning to as they demanded $40 million, to be paid in cryptocurrency. The ransomware caused a brief shutdown of the district’s computer system in early March, but classes were not disrupted.

“It is a possible amount for you,” the Conti gang said early in its negotiations with a district official, whose name does not appear in the screenshots and has not been released. Its data-locking malware is one of the top 10 strains of ransomware.

“This is a PUBLIC school district,” the Broward negotiator replied. “You cannot possibly think we have anything close to this!” It was unclear if the representative was a district employee or, as is often the case, a hired ransomware negotiator.

The FBI usually investigates such attacks, but said Thursday it would not confirm if it was investigating this one.

An epidemic of ransomware attacks has been plaguing government agencies, businesses and individuals for the past three years. Most are Russian-speaking gangs based in Eastern Europe and enjoy safe harbor from tolerant governments. The more sophisticated groups identify their targets in advance, infect networks through phishing or other means and often steal data as they plant malware that encrypts a victim’s network.

Advertisement. Scroll to continue reading.

After the ransomware is activated, the criminals demand money to unlock the malware and refrain from posting — or selling — stolen data. In the case of corporations, that data could be trade secrets. In the case of retailers or government agencies it could be Social Security, bank account numbers and birth dates.Conti claimed it stole from Broward’s system Social Security numbers, birth dates and other student and employee information.

Public school districts have been frequent targets of ransomware attacks. The districts of Baltimore County, Maryland; Fairfax County, Virginia; Hartford, Connecticut; and Fort Worth, Texas, were among those hit last year. Elementary, middle and high schools have been increasingly targeted in recent months, according the the Cybersecurity and Infrastructure Security Agency. In December, it said that K-12 schools accounted for 57% of all reported attacks in August and September as compared to 28% for January through July.

Overall, ransomware attacks disrupted learning at 1,681 schools, colleges, and universities in 2020 and at least 544 so far this year, said analyst Brett Callow at Emsisoft, a cybersecurity firm. Seven districts had personal data published.

Many ransomware cases go unreported due to the liability and stigma attached to victims. Cybersecurity firms have good data on ransoms paid in part because negotiations between victims and hackers occur on dark websites that researchers learn about through shared malware samples where criminals typically leave ransomware notes with instructions and demands. An entire subindustry has also emerged to help victims manage the emergencies.

The average ransom paid for to hacking gangs nearly tripled from $115,000 in 2019 to $312,000 in 2020, according to the cybersecurity firm Palo Alto Networks. It said the highest ransom paid by an organization doubled last year from to $10 million, up from $5 million in 2019.

In Conti’s negotiations with Broward, after the gang’s initial $40 million demand, it said it was willing to negotiate: it would accept $15 million in Bitcoin but it had to be delivered within 24 hours. Otherwise, it would upload the personal information it claimed to have and permanently lock the computer system. Conti said legal claims against the district for losing the data would exceed $50 million, so it should consider its demand a bargain.

“Pay $15M and you guys are guaranteed to solve your problem,” Conti told the district.

The district insisted it still couldn’t afford it and, in any case, didn’t have access to Bitcoin. Ransomware gangs demand payment in cybercurrency because it can be difficult to trace.

Conti upped its threat by suggesting it had found damaging information about an unnamed royal family in Broward’s database — an allegation the district’s negotiator found absurd.

“What do you mean about a royal family … we are a public school district,” the negotiator replied.

The negotiations continued for two weeks, with Conti eventually lowering its demand to $10 million. The district made its $500,000 counteroffer. That is the last screenshot posted.

“The negotiation is bizarre,” said Callow, the Emsisoft analyst. “The Conti operators are experienced extortionists, so it’s odd that they seemed not to know who they were dealing with and demanded an amount that a public school district was never likely to pay. I can’t explain it.”

RelatedU.S. Hospitals Warned of Imminent Ransomware Attacks From Russia

Related: University Project Tracks Ransomware Attacks on Critical Infrastructure

RelatedSierra Wireless Says Ransomware Disrupted Manufacturing

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.