Cyber Incident Victim: St. Landry Parish Schools

On July 25, 2023, the St. Landry Parish School District in southern Louisiana fell victim to a significant cybersecurity incident identified as a ransomware attack. The incident was first discovered when a staff member notified the board's supervisor of technology, Byron Wimberley, about a potential issue. Upon investigation, Wimberley identified the presence of malicious spyware on the district's systems. Superintendent Milton Batiste III publicly confirmed the attack, stating that the district was working in collaboration with the Louisiana State Police to investigate the security failure and identify the origin of the breach. The exact initial vector of the attack was not immediately known, though the district began an internal process to determine how the attackers gained access to their network infrastructure.

The attackers successfully exfiltrated data from the school district's systems. Screenshots of data made available on the ransomware group's dark web blog page provided evidence of the stolen information. The compromised data samples included a check made out for $57, a certificate from a 2021 training course, an education disability claim form, various communications with an insurance department, and publicly available information regarding teachers' salaries. This selection of data indicated that the attackers had accessed a range of sensitive and administrative documents. At the time of the reporting, the full scope of the data theft had not been determined, and it remained unclear exactly how much information and what specific types of data had been obtained during the incident.

A threat analyst for Emsisoft, Brett Callow, publicly identified the ransomware group involved by locating their dark web blog. The blog post issued a direct ransom demand to the St. Landry Parish School Board, giving them a one-week deadline to pay before the stolen data would be publicly leaked. The threat actors demanded a payment of one million dollars in exchange for deleting the data they had stolen. According to Callow, this ransom note was issued less than twenty-four hours after the initial discovery of the attack, indicating a rapid operational tempo by the cybercriminal group. The group utilized a double-extortion tactic, which is common among modern ransomware operators; they not only encrypt the victim's data but also steal a copy to use as leverage for the ransom payment.

The district's response included immediate internal notifications. Superintendent Batiste stated that staff members who had used suspected compromised devices were notified of the incident. However, a broader notification to parents had not been issued at the time of the report. Batiste indicated that if the investigation confirmed that student or parental personally identifiable information had been stolen, the district would then begin the process of notifying affected families. In the interim, staff were advised to be vigilant and report any suspicious emails or communications from unrecognizable sources to the district's computer technology personnel for investigation. The impact was reportedly contained due to the limited number of employees utilizing the affected devices; the breach was restricted to central office staff and did not spread throughout the entire school system.

This incident was not the first cybersecurity event for the St. Landry Parish School District; the school system had also fallen victim to a previous cyber attack in 2020. The recurrence of such an event highlighted the ongoing challenges faced by public school districts in securing their digital infrastructure against determined threat actors. Ransomware attacks against educational institutions have been frequent across the United States. In 2022 alone, forty-five school districts operating 1,981 schools became victims of ransomware attacks, in addition to forty-four colleges and universities. The Los Angeles Unified School District attack was cited as one of the most extensive, compromising data of 500,000 students across 1,300 schools, illustrating the scale of the threat to the education sector.

Expert analysis provided by Brett Callow outlined common methods used by threat actors to gain initial access to victim networks. These typically include exploiting vulnerabilities in unpatched internet-facing servers or using compromised login credentials. These credentials are often obtained from previous data breaches leaked online or harvested through unsecured home connections when staff members access work systems from their personal computers. Once inside a network, attackers follow a two-step process: first, they attempt to exfiltrate a copy of as much data as possible, and second, they encrypt the original data on the network, rendering it inaccessible to the victim organization. The stolen data serves as critical leverage, as it often contains sensitive information such as checking account details, Social Security numbers, and internal communications.

The fundamental threat posed by such attacks extends beyond operational disruption to the potential for identity fraud and financial scams. Callow advised parents within the St. Landry Parish school community to become extra vigilant regarding potential scams, advising them to be super careful, look out for spam and phishing attempts, monitor their financial accounts more closely, and accept any offer of credit monitoring services the school might provide in the future. This guidance underscores the real-world risks to individuals whose data may have been stolen in the attack, even if the district ultimately decides not to pay the ransom demand.

The decision of whether to pay a ransom is a complex one for any organization. Cybersecurity experts, including Callow, generally advise against paying. The payment provides no guarantee that the stolen data will be destroyed or that it will not be sold or leaked online at a later date. Criminals may fail to honor their promises, and the data can still be used to commit identity fraud even after a ransom is paid. Paying also fuels the criminal enterprise, incentivizing further attacks against other organizations. The most an organization can ever obtain is a promise from the criminals, which is often worthless. Therefore, the recommended course of action is to focus on recovery, investigation, and strengthening defenses rather than capitulating to financial demands.

The incident at St. Landry Parish Schools is a representative example of the persistent and evolving threat posed by ransomware groups to critical public sector entities, including educational institutions. These attacks disrupt the vital services provided by school districts, threaten the privacy of students and employees, and incur significant financial costs for response and recovery. The collaboration with state police indicates the seriousness with which the incident was being treated, as law enforcement agencies often become involved in investigating the origins of such attacks in an attempt to identify the perpetrators. The full impact of the data breach, including the specific types and volume of data exfiltrated, may not be fully understood for some time as the forensic investigation continued.