An international group of hackers attacked a Florida school district, demanding up to $40 million in ransom to stop the release of personal student and teacher data, according to a report.
Hackers from the malware group Conti had a two-week negotiation with a representative from Broward County Public Schools over the steep demand, according to March 26 transcript cited by the South Florida Sun Sentinel.
The hackers told the district they had the personal data on March 12, five days after the district’s computers were temporarily shut down due to a cyberattack.
“The bad news is that we hacked your network and encrypted your servers, as well as downloaded more than 1 terabyte of your personal data,” the hacker wrote a district rep before saying it could be retrieved for $40 million.
“I am … speechless,” the person replied. “Surely this is a mistake? Are there extra zero’s in that number by mistake?”
The hacker replied that school records, however, indicated that the district has revenues of more than $4 billion, according to the report.
“So it is a possible amount for you,” the hacker wrote.
The ransom then dropped to $15 million if the district agreed to pay in bitcoin, prompting a district rep to say they didn’t have any cryptocurrency.
“We don’t have bitcoins!” the rep replied. “This is a school district … This is a weekend and we could not even pay you $10 today let alone millions when our bank is closed.”
The hackers finally lowered the ransom to $10 million, but the district rep still balked at that figure, saying only $500,000 would be put up for the info.
“We make no profits or anything like that,” the rep replied. “We have approval to offer $500,000, but the price ranges you started with are too far off for a taxpayer funded school.”
District officials said in a statement it has “no intention” of paying the steep ransom while not confirming nor deny the transcript’s authenticity.
“At this point in the investigation, we are not aware of any student or employee personal data that has been compromised as a result of this incident,” the statement read, adding that ongoing efforts were “progressing well” to restore its systems.
Security experts told the newspaper the chat appeared to be authentic.
“It doesn’t paint the Conti group in a great light, demanding money from a school district,” school cybersecurity expert Doug Levin said. “There’s certainly no honor among thieves targeting a school district.”
District officials did not respond to an inquiry on why the $500,000 figure was chosen, but that’s the maximum Broward Public Schools can pay without school board approval in a public meeting, the Sun Sentinel reported.
Parents had not been notified of the threat as of late Wednesday, according to the report.
Conti first emerged late last year and the ransomware scammers have been linked to nearly 300 attacks in the last five months, targeting local governments, hospital and school districts, a cybersecurity expert told the Sun Sentinel.
The group is among roughly 12 “big game hunter” crews that eye million-dollar ransoms, primarily operating out of Russia or nearby countries without extradition treaties to the US, the newspaper reported.