The Second Largest Ransomware Attack In History


Suffering from a ransomware attack can be devastating in itself.  Operations and systems become disabled, workflow stops, not to mention the financial loss and exfiltration of your sensitive data.  Companies are usually the high value targets because of the huge financial gain an attacker can achieve.  However, local townships and schools generally do not possess the greatest security countermeasures, making them easy pickings.  Recently, the Broward County Public School system became the victim of the second largest ransomware attack in history.


Broward County Public School System

Located in Florida, the Broward County Public School (BCPS) is the second largest school district in the state.  Furthermore, BCPS ranks as the sixth largest school district in all of the United States, hosting a total of 241 public schools and 92 charter schools.  260,715 students are currently enrolled at the schools.  Additionally, BCPS is the largest employer in its county.

As the sixth largest school district in the United States, the BCPS presents a target for an attacker that is scalable to a large company.  However, the school district’s urgency and need to educate students everyday can play a large leverage factor for the attacker to receive payout.


The Attack

Broward County Public Schools have only disclosed that a cyber attack disabled their IT infrastructure with no further details.  However, the attacker group, Conti, proudly claimed responsibility for the successful attack that occurred in March.  Conti further claimed that they not only caused the ransomware attack; however, they also exfiltrated over 1 terabyte of sensitive data.  This data includes everything from student data, to employee data, to data regarding other school districts.

Conti’s attack can go down in the history books because they initially demanded $40,000,000.  Yes, you read that right…forty million dollars.  The demand becomes the second largest ransomware demand, only behind the demand set to Acer of $50,000,000.

Conti first demanded $40,000,000 and proceeded to attempt to negotiate payment when a BCPS personnel reached out to the attacker group.  Conti explained the extent of the attack and that the school district could afford the payment since the district brings in approximately four billion dollars annually.  However, $40,000,000 is a chunk of change for anyone, especially a public school system.  BCPS promptly did not pay up the $40,000,000 and Conti attempted to negotiate a payment of $10,000,000.  BCPS would only willingly pay $500,000 to recover their systems, which was not enough for Conti’s desires.  When no acceptable payment was made, Conti proceeded to share the details of the attack.


School Districts as a Target

Why would Conti target their ransomware at a school district rather than a large cooperation?  As you can see, Conti did their research and learned that BCPS draws in roughly four billion a year.  The $40,000,000 demand they set surely proved that they believed they could obtain a substantial payment.  

However, why do attackers begin to target even smaller school districts and even local governments? 

A School district’s main mission is to provide a safe environment for students and ensure they obtain an education.  Their mission and business operations practically need to up and running 24 hours a day and 7 days a week.  With that in mind, attackers target school districts because if their systems are disrupted, they might be more willing to pay up to demands to get systems back up and running again for the students and community.  Furthermore, small school districts and local governments run a tight budget.  This means that might not focus enough resources into IT infrastructure and cyber security.  With the lack of security measures and IT teams, the districts and local governments present easy picking targets for any attacker.

Let’s hope that the Broward County Public Schools can successfully recover their data and systems without the need to pay off Conti.  Paying to the demands of a ransomware attacker only fuels their fire for future incidents.