SCOOP: Glenn County Office of Education paid $400k ransom after ransomware attack
On May 12, the Sacramento Valley Mirror (SVM) reported on a ransomware attack on the Glenn County Office of Education and school districts. According to GlennCOE, the attack began in the early morning of May 10, and as SVM reported:
[A list of component districts and schools can be found on GlennCOE’s website].
Put out of commission systemwide for GCOE, school districts, and schools were the Internet, the voice-over-internet phones, emails, and the financial software, that are all tied into a single network in the school districts and schools throughout Glenn County.
However, the Hamilton City and Orland school districts’ offices and schools experienced only their financial software being knocked-out of use, with their Internet, email, and phones all staying useable because they have separate tech/backup for those.
The financial software network is the only one of those four that links all the school district offices and campuses in Glenn County including those in Hamilton City and Orland.
GlennCOE reached out to the FBI on May 10.
By late on May 12, no schools had been shut down because of the cyberattack and the superintendent of schools, Tracey Quarne, told SVM that there had been no request or demand received from those responsible for the attack.
That situation apparently changed at some point thereafter because on June 7, GlennCOE paid $400,000 ransom to Quantum threat actors to get a decryption key and certain assurances.
Negotiations between GlennCOE and Quantum began on May 18 when the county responded to a note from the threat actors by entering a chat with them. Quantum provided GlennCOE’s negotiator with a zipped archive of files as some proof that they had accessed the system. According to Quantum “Support,” GlennCOE’s backups had all been deleted and all their data locked.
“So you stole our data? How much did you steal?” GlennCOE’s negotiator asked after looking at a listing of the directory on their D: drive that Support had provided as partial proof.
“~160gb,” “Support” answered.
Note: Information about the chat negotiations and screencaps were provided to DataBreaches by a source who was granted anonymity so that they could share the material.
What followed was negotiations that went back and forth for more than two weeks, with Quantum’s initial demand being well over $1 million.
In the process of negotiating, it appeared that Quantum was negotiating based on a false impression that the county’s assets and cyberinsurance were available and sufficient to cover their demands. The county’s negotiator pointed out that Quantum seemed to have erroneously calculated a high ransom based on total county assets and not just the small percentage of it that would be under the Office of Education. [DataBreaches notes that this is not the first time a ransomware group has confused a district’s budget with “revenue” or does not seem to understand that the vast majority of a school district’s budget cannot just be reassigned or used for other purposes. Very little of a public school district’s budget is actually “discretionary.”]
On June 5, GlennCOE’s negotiator and Quantum agreed on $400,000 to be sent to a BTC wallet. The payment was sent to the designated wallet on June 7, and the county was given the unlocker.zip on June 8.
As part of the negotiations for that amount, Quantum assured the county that it would delete all files and provide proof of deletion, provide an explanation of how they gained access to the network and what they did in there, provide a complete list of all files taken, guarantee that they would not attack the district again, and would not sell any of the data that had been stolen.
Whether Quantum kept their word on anything other than the provision of the decryptor is unknown to DataBreaches at this time. Nor does DataBreaches know if GlennCOE was able to successfully decrypt all their files.
Not seeing any notice on the county’s site with any update or statement, DataBreaches sent an inquiry yesterday to Superintendent Quarme via email requesting a copy of any statement or notice the county provided and requesting that if none could be provided, GlennCOE consider the email to be a public records request under Freedom of Information for records concerning payment of any ransom and records relating to the scope of access to or acquisition of student and/or employee records. No reply has been received as of the time of this publication.
At this time, then, DataBreaches has not received confirmation from the Glenn County Office of Education about the ransom payment, although checking the specified BTC wallet confirmed that $400,000 was sent to it on June 7. Nor does DataBreaches know whether the county or component districts have sent any individual notification letters to employees or students whose personal information may have been accessed or acquired by Quantum. No notices have appeared on the California Attorney General’s breach site submitted by either the county office of education or component school districts.
This post will be updated as more information becomes available.