4 minute read

Oklahoma City Public Schools could be charged over $100,000 by a cybersecurity firm for helping the district recover from a ransomware attack according to documents obtained by Free Press.

OKCPS has not disclosed the amount of ransom demanded by the attackers or whether it was paid.

The attack crippled the district’s network for seven days while classes were still in session and the district was preparing grades for the close of the school year.

We first reported the attack May 15, the next day after the documents show agreements were signed to employ third party contractors to help the district recover.

Free Press continued to report efforts to repair damage to the network over the seven day period.

100 computers

The ransomware is believed to have infected about 100 computers around the district through a phishing email opened by one employee.

One of the documents we obtained through an open records request is the agreement between OKCPS and the Mullen Coughlin law firm in Pennsylvania signed by Superintendent Sean McDaniels on Tuesday, May 14. The firm specializes in cybersecurity and data privacy.

The other document is the agreement between OKCPS and Kivu Cyber Security Services, likely the “third-party contractor” mentioned in district statements as helping district IT staff recover from the attack. That agreement was also signed by McDaniel on Tuesday, May 14.

Ransomware

Ransomware is a malicious cyber tool that encrypts targeted computers and sometimes whole systems demanding a ransom for the key to unlock the infected computers.

The documents reveal that the district initially estimated that 100 computers had been infected with the GrandCrab v5.2 ransomware, but did not believe that any servers had been affected.

They also believe they have identified the “compromised user account,” meaning the employee account where the ransomware first entered the network likely by way of a phishing email.

Phishing is the practice of an attacker sending an email to an organization’s employees pretending to be someone with whom the employee is familiar. Once the email is opened and the requested actions are taken, malware infects the machine that opened the email and then spreads to other computers in the network.

Cost estimates

The documents are both initial agreements with the law firm and the cybersecurity firm.

The law firm agreement references charges that were to be billed to the Chubb Insurance Group.

The cybersecurity firm gave only high and low estimates of the costs of recovery for the district.

No actual amounts paid have been disclosed by the district.

The cybersecurity firm’s total low estimates were around $70,000 and the high estimate was $103,840.

Turn of events

Included in Kiva’s agreement with OKCPS this is the narrative of the turn of events that led to their being approached for support:

On May 14, Kivu was contacted by the Mullen Couglin LLC law firm for OKCPS and “…was informed that on May 13, 2019 at around 7:30 AM CDT, Client was notified by multiple employees that they were unable to access data.

The narrative says that OKCPS IT discovered that between 6:30 p.m. Sunday, May 12 and Monday, May 13 around 1:00 a.m. “encryption with the *GrandCrab v5.2 ransomware variant began spreading to around 100 workstations.”

OKCPS did not think at the time their servers had been affected, the narrative says.

The agreement also summarizes what Kiva will do to help the district recover from the attack, which includes options to not pay or pay the ransom.

Ransom paid?

It is unclear whether the district has actually paid the ransom or if the firm was able to help OKCPS restore the computer with backups.

But, unlike a country dealing with terrorists who take hostages, dealing with ransomware is frequently solved by actually paying the ransom.

According to a blog post titled “Debunking the top 5 ransomware myths” by Winston Krone, global managing director of Kiva, hackers often do produce decryption tools when the ransom is paid. Why?

The majority of ransomware actors want to make money and receive good publicity within the hacker community on the Dark Web. When a hacker doesn’t decrypt a system post-payment, it destroys their reputation within the community and lowers the chances of future ransoms being paid, so it is in their best interest to deliver on their promise.

While casting doubt on the ability in most cases to break ransomware encryption code, the post did say that some variants of the ransomware used in the OKCPS attack do have decryption codes available.