Your donation, in any amount, can help sustain the BDN’s civic news mission. Learn more about why we are asking for reader support.
Hermon School Department was attacked by ransomware at the start of November.
The attack was discovered Sunday, Nov. 5, according to Superintendent Micah Grant’s report dated Nov. 29. The issue was “quickly” resolved by DNS Albany, an IT company, per the report.
The ransomware attack appears to have been focused on PowerSchool, which offers software and cloud services for schools, Grant said during a Monday school department meeting. Other schools were likely affected, he said.
No evidence was found to show the breach happened locally, DNS Albany said in the report. The virus did not access any files other than “what would be expected for the virus.”
No firm information is available yet about what information was accessed, but it’s believed to be directory information, like names and addresses, Grant said. A forensic expert is reviewing all the information. A law firm will then tell the district what information needs to be told to which people and what is expected, he said. He said he’s in a “holding pattern.”
Grant said no money was paid for the ransomware attack. The district did not have contact with the ransomware group, he said.
“At this time we feel very good about the steps that we took,” Grant said.
By Monday, Nov. 6, the virus had spread to multiple servers and was an emergency, per DNS Albany. All servers were powered down late Monday afternoon to prevent further spread. One of the 10 servers had the virus and suspicious files, per the report.
The systems were back online and the school was functioning normally the morning of Tuesday, Nov. 7.
There were three events that led the district to think there was a spreading virus, per DNS Albany. The first was when a ransomware note was found on a school desktop and there was an interruption to the PowerSchool server, per DNS Albany.
In another instance, staff in the superintendent’s office were unable to access critical servers, which happened because there was an update to Microsoft settings. The third event was when a Windows 2003 server was almost out of space on its harddrive. That had likely been an issue for an extended period of time.
There was a bad patch in PowerSchool, which allowed the ransomware attack, Grant said. Before the attack the district was already scheduled to migrate to PowerSchool’s cloud, which happened the week of Thanksgiving.
The ransomware links did not work as designed, likely because the other servers were taken offline, DNS Albany reported.
The school is running a “vulnerable instance” of ApacheMQ and outdated Windows 2012 R2,
the Maine Information Analysis Center told Grant and then-information technology director Jeff Wheeler.
Two ransomware attacks were exploiting the vulnerabilities, per the email. The student and parent sign-in have the same IP address as the vulnerable ApacheMQ.
A new director of information technology, Alex Bridges, was hired during Monday’s meeting, with a 3-1 vote and two abstaining. Haily Keezer voted no, stating she was concerned the new person did not have enough experience to be a director.
Shannon Knowles and Debbie CoWallis, representatives for RSU 87 abstained because it is not a teaching position.
Three community members spoke during the school department meeting Monday. Two people read parts of the same statement. They spoke about concerns they have with hiring the IT director, the state of technology in the district and a lack of information about the ransomware attack.