Saskatchewan

Cyberattack against Regina Public Schools likely ransomware

A ransom note displayed on some Regina Public Schools computers indicates a recent cyberattack was a ransomware attack.

'I think it's a serious breach. There's no doubt about it,' says expert

More details have emerged about the type of cyberattack that has targeted Regina Public Schools. (Matthew Howard/CBC)

New information has emerged about the recent cyberattack that targeted Regina Public Schools, forcing it to shut down all internet-based systems such as email and other education tools. 

CBC News has reviewed a copy of a note that has appeared on computers that were part of the school district's network. 

The note says it is from an organization called BlackCat/ALPHV, which experts say is well known for employing ransomware attacks.

The note alleges that 500 gigabytes of files belonging to Regina Public Schools have been encrypted and that the group now possesses copies of data ranging from tax reports and health information to passports and social insurance numbers.

"I think it's a serious breach. There's no doubt about it," said Alec Couros, a professor of educational technology and media at the University of Regina.

What is ransomware? 

David Shipley, a cybersecurity expert based in New Brunswick, told CBC News that ransomware is the No. 1 threat to organizations that operate in the digital world.

Ransomware is malicious software that encrypts data and allows the information to be held ransom. The person or group behind the attack then offers to reverse the encryption in exchange for cash or, more commonly these days, cryptocurrency. 

"It can also be used to cripple devices and make it just impossible to use the IT systems of a modern organization. It grinds any organization, whether it's a business, a hospital, a school, to a complete halt," Shipley said on Friday.

David Shipley is the CEO of Beauceron Security CEO and a cybersecurity expert. (Jonathan Collicott/CBC)

Ransomware can make its way into an organization's systems in multiple ways, Shipley said.

That can include phishing emails that trick someone into providing access, unsecured remote access to the network or unpatched servers and systems.

Although the school division has said the attack began on Sunday, it has not stated how it began.

LISTEN | The battle against ransomware: 

Tech columnist Mohit Rajhans says the battle against ransomware attacks is becoming more sophisticated.

BlackCat/ALPHV is a criminal gang previously known as DarkSide, which famously shut down a U.S. pipeline last year.

The response to that cyberattack and the attention it drew has meant rebranding for the organization, which operates on a global scale.

"They've got a sophisticated business model, and they're brutal at what they do," said Shipley, who describes BlackCat/ALPHV as well-financed and well-resourced.

As of March, the FBI reported the organization had compromised at least 60 entities worldwide through ransomware attacks

Fears from teachers

The cyberattack against Regina Public Schools has many teachers worried about what kind of data has been exposed, according to the Patrick Maze, president of the Saskatchewan Teachers' Federation.

"There are some concerns around confidential material potentially being breached," said Maze. 

"We know that there's lots of student data that school divisions maintain and we know there's also, of course, personnel data … that would contain financial information and personal confidential information."

Patrick Maze says teachers have expressed concern over their information being exposed due to the cyberattack that targeted Regina Public Schools. (Bryan Eneas/CBC)

The impact on day-to-day teaching is hard to assess. Many of the online tools that teachers became reliant on over the course of the pandemic and remote learning are now gone.

The attack could not have come at a worse time. The school year is ending in Saskatchewan and that means grading is due soon. 

Online systems that store grades or allow teachers to record progress are not currently available. Even the program for attendance is offline, forcing teachers to go back to pen and paper.

"It's a difficult time for staff and we just hope that they're able to get through this and preserve as much student work and conduct final assessments as efficiently as possible," Maze said.

What happens now? 

Shipley said the school district did the right thing by immediately isolating and shutting down its online systems in an attempt to limit the scale of the attack.

The school division has limited options to get its data back, Shipley and Couros said. Shipley stressed that even if the ransom is paid, there is never a guarantee the data will be turned over.

Other options include rebuilding the entire network off of backups — something that the City of Saint John chose to do in 2020 instead of paying the ransom, estimated to be between $17 million and $20 million worth of Bitcoin.

WATCH | Cyberattack on N.L. health-care system worst in Canadian history, expert says:

Cyberattack on N.L. health-care system worst in Canadian history: expert

8 months ago
Duration 3:31
One cybersecurity expert says the cyberattack on the Newfoundland and Labrador health-care system may be the worst in Canadian history and has implications for national security.

Shipley said the timeline for rebuilding networks from backups can be weeks or months. Couros said criminal organizations can set long-term deadlines or threaten to delete or leak the information on a short deadline. 

"That puts a lot of pressure to act quickly, especially if it is a credible threat, and it makes it very difficult to find out exactly what's been taken, because you may not know the full extent of the penetration into your systems," said Couros. 

Only Regina Public Schools and the cybersecurity experts they have brought in to assist know what solution they've chosen and what timeline they've been given by the criminal organization.

Multiple requests for comment with Regina Public Schools left throughout this week have not been returned.

ABOUT THE AUTHOR

Alexander Quon is a reporter with CBC Saskatchewan based in Regina. After working in Atlantic Canada for four years he's happy to be back in his home province. He has previously worked with the CBC News investigative unit in Nova Scotia and Global News in Halifax. Alexander specializes in data-reporting, COVID-19 and municipal political coverage. He can be reached at: Alexander.Quon@cbc.ca.

With files from Jessie Anton and Karissa Donkin

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?

now