Michigan school districts reopen after three-day closure due to ransomware attack

Public schools in two Michigan counties are reopening on Thursday after a ransomware attack crippled their ability to function and closed doors to students for three days. 

All of the public schools in Jackson and Hillsdale counties announced their reopening on Thursday in letters to parents, assuring them that cybersecurity experts, tech officials and law enforcement worked around the clock to restore the systems following outages that began on Monday. 

Jackson County Intermediate School District Superintendent Kevin Oxley said the ransomware attack was detected last weekend, and they proactively took their systems offline in order to contain the damage. 

During the attack he urged students and teachers not to use school-issued devices. By Wednesday, he they were able to bring essential systems back online. 

“However, students will continue to have limited access to several technology resources when they return tomorrow, as our teams continue to work on restoring additional systems,” he said. 

“We understand the challenges this incident has created for our community. Unfortunately, the criminals responsible for ransomware attacks such as these have been targeting school districts like ours across the country.” 

Both the FBI and Det. Lt. Mike Teachout of the Michigan Cyber Command Center confirmed they were involved in the investigation.  

Stephan Chenette, CTO at AttackIQ, explained that school districts’ lack of staff and resources to defend against cyber threats make them an attractive target for cybercriminals. 

While no group has come forward to claim credit for the ransomware attack, Chenette noted that the Vice Society gang has attacked dozens of schools across the country, including a headline-grabbing attack on the largest school district in Los Angeles in September. 

“Vice Society, like many other threat actors, has typically gained initial network access through compromised credentials or by exploiting internet-facing applications. The actors focus efforts on exploring the victim’s network, identifying targets of opportunity, and exfiltrating data prior to deploying ransomware,” Chenette said. 

“The aftermath of a ransomware attack on underfunded school systems can be crippling, both financially and in loss of data, making it imperative that educational institutions study the common tactics, techniques, and procedures used by common threat actors, which will help them build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors.”