Hackers want millions in ransom. American schools are considering the cost.

The ransomware attack on her daughter's school was the last thing Glynnis Sanders needed.

Like most parents, Sanders has been performing a daily juggling act. When she's not teaching special education classes at Buffalo Public Schools, she and her husband are usually making sure their three kids are attending their remote classes.

So it hit hard when hackers struck the school of her youngest daughter in early March, the Friday before she was supposed to finally return to in-person learning twice a week.

“It’s very frustrating. You think, how could this happen? You wonder if your information is secure,” Sanders said. “It’s just the headache of Covid as it is, and it’s adding to the stress of the school year. Like what else could happen?”

The hackers infected Buffalo’s schools with malicious code that spidered through their networks, freezing computers and making it impossible for teachers to reach their students who were working remotely because of the pandemic. They demanded a ransom to make it go away.

School officials canceled remote classes for the day while they figured out what to do. They would end up needing more than a week to resume their planned class schedule. A single infection of a school district can affect dozens or hundreds of schools: Buffalo counts 63 individual schools and learning systems.

In public statements, Buffalo Public Schools referred to what happened broadly as a “cybersecurity attack.” But it wasn’t a mindless act of internet vandalism. Buffalo had become the latest in a long spree of ransomware attacks, a type of hack where malicious software locks as many related computers as possible, rendering files inaccessible in an attempt to coerce victims to pay up.

Image: Libby March for NBC News Glynnis Sanders, a parent with children in the Buffalo school system, on April 2, 2021. (Libby March / NBC News)
Image: Libby March for NBC News Glynnis Sanders, a parent with children in the Buffalo school system, on April 2, 2021. (Libby March / NBC News)

The attack underscores how a once obscure form of cybercrime now preys on Americans almost daily. While some ransomware gangs spend months targeting large businesses in hopes of a giant payday, many also go after institutions that don’t have dedicated cybersecurity staff or expensive cybersecurity contracts to better protect them from hackers, like hospitals and city and county governments, which are often wide open to attack.

Schools are soft targets, too — and during a pandemic, particularly soft ones. Cybercriminals have recently ramped up attacks against American public school districts, with at least 44 of them this school year alone, according to a count by Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future. The FBI issued a warning in mid-March that ransomware attacks against schools were spiking, but the U.S. federal government has limited power to stop ransomware attacks. As recently as Thursday, schools in Haverhill, Massachusetts, had to close.

Cybersecurity company Emsisoft has estimated that ransomware attacks cost the U.S. more than $1.3 billion in 2020. The FBI often is the primary agency responding to ransomware attacks in the U.S., but as the agency focuses more on arrests than on disruption, and most ransomware gangs operate in countries where it's hard or impossible to get cybercriminals extradited, it’s rare for the criminals to face serious repercussions.

A spokesperson for Buffalo schools declined to comment, citing an ongoing FBI investigation, and the agency also declined to comment. But school officials were clearly caught off guard by the severity of the hack, as they spent the next week issuing last-minute class cancellations.

After calling off all remote classes for the day that first Friday, they announced Sunday evening that there would be no class whatsoever on Monday. Then Monday evening, they cancelled in-person learning through Wednesday, then Wednesday evening extended that ban for the rest of the week.

“Tuesday night we found out late," said Gary Cartwright, a father of four kids in the district. "Monday night we found out late there was no school. Sunday night, late."

To pay or not to pay

The FBI and the U.S. Cybersecurity and Infrastructure Agency, the federal agencies that respond to ransomware victims, officially don’t recommend paying a ransom to hackers, both because doing so can encourage them to target more victims and there’s no guarantee that the hackers will honor the agreement. Paying isn’t illegal in most cases, but it’s still a risky prospect: A recent survey by the cybersecurity firm Kaspersky found that just over half of ransomware victims chose to pay, but 17 percent of those who did still never recovered their files.

But sometimes a school will try to pay, only to find it impossible to negotiate with the hackers. In March, after negotiations broke down between one gang and Broward County, Florida, school system — one of the largest school districts in the country, with more than 260,000 students — the hackers published the transcript of their conversation on their website. The conversation shows the gang initially asked for $40 million in ransom, to the school official’s bafflement.

Excerpts of a conversation between a Broward County Public Schools official and a member of a criminal ransomware gang posted to the gang's blog.
Excerpts of a conversation between a Broward County Public Schools official and a member of a criminal ransomware gang posted to the gang's blog.

A Broward spokesperson for the school declined to comment on the published negotiations but said in a statement, “We have no intention of paying a ransom.”

Even when a school catches the attack early and chooses to not pay the hackers, the costs can be severe, as was the case when the Affton, Missouri, school district was hit in February. The district’s director of technology, Adam Jasinski, received an early morning text message from a teacher that showed a picture of a computer with a picture of a ransom note.

"Hi Company, Every byte on any types of your devices was encrypted," the hackers wrote. "Don't try to use backups because it were encrypted too."

Excerpts of a conversation between a Broward County Public Schools official and a member of a criminal ransomware gang posted to the gang's blog.
Excerpts of a conversation between a Broward County Public Schools official and a member of a criminal ransomware gang posted to the gang's blog.

Recognizing the potential for ransomware to spread quickly from computer to computer, Jasinski quickly ordered them all shut down and began examining computers individually to see which ones were infected. Only 30 were, and the school was able to replace them and resume classes the next day.

But the hackers weren’t done. As retaliation, they published files they were able to exfiltrate from the infected computers, which included scores of tax and human resource documents like notes on teachers and their pay and the school’s tax documents since 2018.

Jasinski said despite that hassle, he’s still confident he made the right decision.

"One thing I hope people take away from experiences like ours is don’t pay the ransom, because it only encourages them," he said.

'A matter of national security'

Most of the damage is done by a dozen or so hacker groups, which effectively run as organized crime rings. Their members’ identities are largely known to the FBI and U.S. Secret Service, officials at those agencies say, but they tend to live in Russia or other Eastern European countries that don’t extradite their citizens to the U.S.

The Biden White House has a plan to deal with ransomware hackers, but such a plan is still several weeks away, said Anne Neuberger, a top White House cybersecurity adviser.

"Ransomware is a matter of national security because it affects so many Americans, including our small businesses, and state and local governments," Neuberger said in an emailed statement. "Making progress to address ransomware will require cooperation with international partners."

In some cases, hackers make remote learning nearly impossible. Huntsville City Schools in Alabama, which allows parents to choose whether their kids go to in-person classes or learn remotely through the Huntsville Virtual Academy, sent everyone home on Monday, Nov. 30, the first day back after Thanksgiving break, because of a ransomware attack.

It took a week for in-person classes to resume. But because of lingering issues with school devices, HVA students for weeks learned purely through “paper packets,” with no interactions with their teachers. Every Sunday, parents dropped off their students' previous week of paperwork and picked up a new week’s worth.

Brooke Abney-Stratton, a mother to an elementary school student and a middle school student in the district, saw her mother hospitalized with Covid-19 in July and didn’t hesitate to enroll her kids in HVA at the beginning of the school year. While she had mixed feelings about the program’s deployment before the cyberattack, she said her children had no direct interactions with their teachers in December — just packets of paper she shuffled back and forth.

"The virtual academy kids — my kids — had no access to email their teachers. No administrators. Nothing," Abney-Stratton said in a phone interview. "They were handed a paper packet, told to do the work and turn it back in, while the other students who were traditional in-person students were in a classroom every day."

"It took until after New Year’s to get my son logged back in," she said. "It’s been the worst experience. I never could have imagined."