GFPS details 2020 ransomware attack

In September 2020, as the Great Falls Public Schools district was returning to classrooms amid the COVID-19 pandemic, it was also hit with a ransomware attack.

For months, officials said they couldn’t discuss the details of the attack as investigators and the insurance company were conducting their work.

Last week, The Electric followed up.

Superintendent Tom Moore said that the district has a “fairly hefty” insurance policy against data theft, data loss, cyber security and such, which protected the district from a large financial loss due to the attack.

GFPS discusses COVID cases, GF High closure, network outage [2020]

Moore said that because of the insurance policy, the district paid the $1,000 deductible, but not the 20 bitcoin ransom the hackers wanted to release the system.

Moore said that in September 2020 dollars, that would have been $220,324.

The insurance company hired a team of attorneys that deal with cyber attacks and threats, as well as a cyber forensics team that worked separately but cooperatively with law enforcement, Moore said.

“This whole thing is incredibly sophisticated,” he said.

GFPS network outage ongoing, instruction continuing [2020]

The district notified the Great Falls Police Department, FBI and Montana Attorney General’s office immediately following the attack over Labor Day weekend of 2020 that crashed district email, hindered internal communications and forced teachers to work from home on their personal networks so that remote learning could continue.

“The attack was pretty widespread and shut all of our systems down and we were really held hostage for quite awhile,” Moore said.

GFPS officials discuss COVID-19 response; ransomware attack recovery [2020]

It took the better part of a month for the district to reinstall and reconfigure all of their services and databases that had been hacked, which had the IT department working round the clock for at least a week getting the system back initially, Moore said.

Based on the investigation, Moore said the particular cell of hackers was out of Russia, but based on how they operate, it could have been a group of attackers working together from multiple locations.

“It’s extremely complex and they’re almost impossible to track down and nail them,” Moore said. “It was quite an experience.”

Moore said that for the last decade, the district had been working to improve its cyber security and as a result of the attack, transitioned to a new email system, and spent more on firewalls and additional ransomware software systems.

Moore said the district is still confident that there was no loss of data or compromised data as a result of the attack on their systems.