After falling victim to a successful cyberattack, Judson Independent School District in Texas confirmed that it paid a $547,045.61 ransom to “protect sensitive, identifiable information from being published on the dark web.”
“While these are funds that we would have rather spent on the needs of our employees, students, and their families, there was no other choice for the district to ensure your safety – our number one priority,” the school district said in a statement.
The attack, which occurred on June 17, compromised the school district’s information technology systems and caused staff to lose access to email and phone systems for two days.
After discovering the attack, Judson school district said it immediately notified law enforcement and is continuing to work “around the clock” to provide staff, students, and families with information about how it addressed the situation, what it will do to protect individuals whose data was affected, and what staff and families should do to ensure their personal information remains safe, private and secure.
While Judson school district has insisted that paying the ransom was the right option, the decision to do so is controversial.
In May of this year, Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, testified before Congress and stressed that the U.S. must work to disrupt the lucrative ransomware business model.
He argued that ransomware victims must stop paying ransoms to their attackers. The former CISA head reasoned that paying ransoms only validates the criminals’ business model, and amounts to “essentially making a capital contribution to the criminal, allowing them to hire more developers, more customer service, and upgrade delivery infrastructure. And, most worrisome, go on to the next victim.”
To that end, Krebs encouraged Congress to better fund Federal agencies so they can properly investigate, disrupt, and apprehend cybercriminals.
Last year, the Treasury Department asked organizations not to pay off malicious actors to terminate ransomware attacks without carefully considering possible national security threats – and said it may implement penalties for organizations that choose to pay ransom to their attackers.
In an October 2020 advisory, the Treasury Department cautioned that a payment could encourage illicit actors to continue launching attacks for profit. Paying a ransom also does not guarantee a victim will regain access to its information. Treasury continued, “Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.” Essentially, paying ransom to malicious actors could end up funding national security threats, the agency said.