Alberto Carvalho is confronting a major ransomware attack just eight months after he joined the Los Angeles Unified School District as superintendent. Late Tuesday, two weeks after LAUSD publicly disclosed the attack, Carvalho confirmed a ransom demand was made by the group that breached the district’s systems.
He remained tight-lipped, in an interview with the Los Angeles Times, about the amount demanded and what information the ransomware group claims to have stolen from the country’s second-largest school system, outranked by New York City alone.
Campuses remain open, but some systems are still offline or compromised, and additional damage could still hit the district.
How that outcome plays out, as with most ransomware attacks, hinges on the fortitude and trustworthiness of two parties: the cybercriminal and the victim.
LAUSD, for now, is effectively calling the threat actor’s bluff. Likewise, the ransomware group wants the district to fear what could happen if sensitive data is leaked or otherwise used to inflict further harm.
“There has been no response to the demand,” Carvalho told the Los Angeles Times on Tuesday. That’s in line with ransomware guidance from multiple federal agencies that jumped in quickly over the Labor Day weekend to help the district recover and reopen classrooms as scheduled after the holiday.
Vice Society, which claimed responsibility for the attack, was singled out in a joint Cybersecurity Advisory from federal authorities the same day LAUSD went public with the attack. The connection remains implied but not stated as such by officials.
The attack on LAUSD was a “crippling ransomware attack,” Anne Neuberger, deputy national security advisor for cyber and emerging technology on the National Security Council, said earlier this month at the Code Conference.
The district weathered and remains operational, in part, because of support it received from the FBI, Department of Education and the Cybersecurity and Infrastructure Security Agency.
Things could be worse, but much is not well or normal for LAUSD since it discovered the cyberattack in progress at 10:30 p.m. on the Saturday leading into Labor Day.
The district initiated a complete reset of more than 600,000 passwords after it discovered the ransomware group changed many passwords during the attack. Sometime early in that process, LAUSD found malware in its systems that could potentially compromise re-authenticated accounts, which further delayed the systemwide password resets and recovery, the Los Angeles Times reported.
District officials acknowledge multiple systems were compromised, including student management, bus system servers, and the platform it uses for purchases, vendor bidding and construction project management.
The cybercriminals initially contacted the district without making any demand then extended their deadline for restoring LAUSD’s systems and data, Carvalho said at a Sept. 9 news conference.
LAUSD’s Board of Education granted Carvalho emergency powers soon after the attack, a move that allows him to to spend and procure whatever he deems “necessary to address the emergency conditions caused by the cyberattack.”
That rare authority, followed by Carvalho’s confirmation Tuesday that a specific ransom demand was made and remains unanswered, sets the stage and scope for potential calamity. It also sets Los Angeles school officials and federal authorities up for some stressful days ahead.