EDEN — All it took was several downloads of a Microsoft Word document to completely shut down the computer network and internet structure at Rockingham County Schools, officials announced Wednesday.
During an emergency board meeting Wednesday, the school board voted 7-1 to approve a 12-month, $314,000 service contract with Atlanta-based ProLogic ITS, pending legal review.
The contract will staff 10 Level 3 and 4 engineers a total of 1,200 total onsite man hours. The company will also provide virus mitigation services, including a plan of attack and onsite imaging for approximately 12 servers and 3,000 client systems.
Funding for the project will come from the school district’s unrestricted fund balance, which had approximately $5,000,000 in appropriated funds prior to the decision.
The cleanup is expected to take less than 30 days.
According to Chief Technology Officer Kacey Sensenich, the district was hit with the effects of an Emotet malware program – a Trojan that obtains financial information by injecting computer code into the networking stack of an infected computer. The malware then inserts itself into software modules which are then able to steal address book data and perform denial of service attacks on other systems.
The Emotet entered the schools computer systems on Dec. 11 through a phishing email that was opened and a Word attachment entitled “INCORRECT INVOICE” was downloaded on several different machines.
Three days later, the school’s administrative office began reporting that several machines lacked connectivity to the school’s network. The next day user email accounts were compromised and several Google accounts were shut down at Western Rockingham Middle School and Bethany Elementary due to excessive spamming.
Technology officials at the district began working on the infrastructure at the administrative building on Dec. 15. Three days later, the Emotet continued to spread back onto all cleaned machines.
The infection locked up the school’s infrastructure, making it unusable; however, student-used Chromebooks were not affected.
Approximately 20 physical and virtual servers will be need to be rebuilt by hand.
Sensenich says current investigation and diagnostic work has led her team to believe that personal information has not been hacked.
"There is no concern when it comes to financial data in Rockingham County Schools,” said Sensenich. “That is all secure. None of that was compromised. The worst thing that we've had happen is it was able to grab people's email and their login information and then re-spam out. We asked people to change their password. …As far as data, personnel records, all those horror stories you have, at this time we have no evidence of that [being compromised] and the security team is helping validate for us."
Officials at this time do not believe the virus captured any confidential student information or personal information because that information is cloud-based. They plan to continue evaluating the possibility with ProLogic ITS technicians thorough the next 30 days to confirm information wasn’t stolen.
The school district has been completely disconnected from network or online services since last week. Once the attack was identified, staff was asked to bring every single device that belongs to the school back to school premises to prevent them from infecting home networks.
Sensenich told board members on Wednesday that the virus is not cleanable.
“Our domain controller no longer exists and it will be brand new when it is rebuilt,” said Sensenich. “This is a build fresh from the ground up there is no removal tool for this strain of virus and the reason for that is because the virus has the ability to go dormant.”
She added that the only way to be sure to eradicate is to re-image and start from scratch, when asked if Sophos – the schools virus protection program – could provide relief of the virus. The software company’s website lists an overview of Emotet and how to properly clear the infection.
“At that point, there is nothing that the Sophos company can do for us,” Sensenich said. “They can continue to claim that their tool is cleaning it, but that is not necessarily accurate and we cannot afford to think we got it and then it returns."
The school district intends to provide more information on the Emotet attack at a future press conference on Jan. 2, once school resumes from winter break.
Internal review will also be made on the wired and wireless rules and scheme.
According to Sensenich, teachers’ rights to install programs on their computers have been removed and no external drives will be allowed for use, with access to Google applications and unlimited storage available.
Without a full scope of the attack, law enforcement at the local, state and federal level have not yet been contacted to investigate the situation.
While the ProLogic ITS deal focuses on infrastructure, the board will also hear a recommended bid for the replacement of teacher devices at their next scheduled meeting on Jan. 8.
Sensenich couldn’t confirm how many laptops will be needed at this time but “drew a number out of the air” of 800 devices that could be potentially needed for certified staff. She added that a finite number will be determined at a later date.
As part of the agreement with Prologic, up to 200 Dell Latitude Windows 10 devices will be provided as loaner systems to the district.
Board members question lack of bidding for service contract
Despite the approval of the contract, some questions did arise from board members who were curious as to why the board did not offer to take outside bids for the $314,000 project.
The approved contract was put together by 10:30 p.m. Tuesday night through assistance from Dell, who recommended the technology solutions company that will provide assistance in the malware cleanup.
The school system is a Dell-platform district and all school techs have been trained on the Dell platform.
Since it’s a service contract, the district has the ability to reach out for bids, but is not statutorily required.
“That seems like a questionable issue in itself,” said board member Ron Price. “Because it’s a service contract we have unlimited amounts of money we can spend or approve? It seems like we should have a limit on the amount of money that we are spending and we should have some competition. I realize Dell has proposed these people and they worked up these numbers. Based on these hours, we are looking at $140 an hour.”
With logistics being an issue during the holidays, two board members joined the meeting by telephone. Ophelia Wright and Brent Huss were read the service of work contract prior to approval.
Huss, who was the lone "no" vote, said his only concern was that other companies were not given an opportunity to provide an estimate for school officials.
"We clearly gave at least one company enough time to come up with an estimate,” said Huss. “It just concerns me that we didn't begin that process at the same time as the company we have an estimate from. That week we would have multiple estimates."
Wright disagreed, stating that Dell knows the school system and “since they did bring this to us, they might have our interest at best.”
ProLogic ITS was on the ground at 7:30 a.m. Wednesday to diagnose the situation alongside with school technology staff.
The technicians were on campus by early Thursday morning.
On Wednesday, all nine board members acknowledged their appreciation to RCS’ technology staff for their hard work.