Earlier this month, Broward County Schools disclosed a cyberattack that sounded pretty serious. But there did not seem to be any follow-up in the media or on their web site to explain exactly what had happened and with what impact.
Now threat actors have leaked what appear to be ransom negotiations with the district.
A screenshot of a chat log shows what happened when Broward reached out to the threat actors approximately two weeks ago to inquire what the district would need to do to get their files back.
The representative for Conti told Broward that they had encrypted Broward’s servers and exfiltrated more than 1 TB of data files that included personal information of students and employees as well as other district files such as contracts and financials.
But the shocker — and it was a shocker — is that Conti was demanding $40 million from the district. Had Conti got someone psychotic in charge of determining ransom amounts? What on earth were they thinking, right?
According to Conti, however, they had researched the district and found that the district had more than $4 billion in revenue, so the $40 million demand was reasonable.
The negotiations didn’t improve from there. The Broward representative kept trying to get through to Conti that they are a public school district and that there is no way they have that kind of money. Conti’s response at one point was to offer them a discount if they paid $15 million within 24 hours. Unsurprisingly, that didn’t happen.
The negotiations got even weirder to read the next day, when the Broward representative continued to try to get Conti to understand that this was a public school district and they didn’t have that kind of money or even any bitcoins.
At one point, Conti’s negotiator replied:
You are not a school, we know who you are and what you have. If you will not pay today 15M$ you will lost your profit from this school and be sure you will lose your reputation in this sphere.
And when the Broward representative insisted they were a school, saying “What else would we be?” Conti replied:
Guys, you were hired by the Broward Schools and we know exactly who you are.
Later, Conti would add:
We paid and hired the outsource-company and we know exactly that your recovery-company received a wire transfer from Broward(bankofamerica), that’s why we are ready to agree to 10M$.
The Broward spokesperson denied any knowledge of any recovery company, but indicated that they would speak to their superiors and ask them about any recovery company. Almost 24 hours later, Broward made an offer of $500,000 but did not address Conti’s claim that the individual was with a recovery company and had received a $10M wire transfer.
The preceding is just a small sample of the chat that appears to have begun approximately two weeks ago. The fact that the threat actors uploaded the chat logs — presumably to try to pressure Broward, means that negotiations broke down.
At first blush, the chat log does not make Conti look very professional as threat actors. The Broward representative appeared to be understandably stunned and quite correct in claiming that Conti seemed to have no understanding of funding for public school districts or how the funds could be used. Had Conti said something like, “Look, we read your cyberinsurance policy and we know you have coverage to pay us $XYZ, ” then that would have been one thing.
Of course, if they were telling the truth — that they knew that Broward had hired a specific firm and that there really was a wire transfer and authorization to pay them $10 million, then they just look smart/efficient, and it’s a reminder to victims NOT to communicate via email or ways that the threat actors can access if they are still in your network.
The chat log ends after Broward reiterated that the district only has money sent to it by the government and they had approval to offer Conti (only) $500,000. Conti did not respond, but then uploaded the chat logs.
There are many who will be upset with that $500,000 offer — or that there was any offer at all.
In any event, this story is likely not over. Will Conti dump files? Will the district increase the offer? DataBreaches.net has reached out to Broward Schools to ask them to respond to some of the threat actors’ claims and will update this post if a response is received.