Conti Gang Demands $40M Ransom from Florida School District | Threatpost

The Conti Gang has demanded a $40 million ransom from a Fort Lauderdale, Fla., school district after a ransomware attack last month. Attackers stole personal information from students and teachers, disrupted the district’s networks, and caused some services to be unavailable.

The incident that was discovered on March 7 at Broward County Public Schools drew limited attention at the time of attack. However, new details have emerged on DataBreaches.net, which recently posted a screenshot of a chat between attackers and a school district official about the sum of money attackers demanded. That has shed new light on the incident, given the exorbitant nature of the ransom demands.

During the conversation, attackers — who claim to be from the “ContiLocker Team” — informed the official that they had not only encrypted files, but also had downloaded “more than 1 terabyte of personal data, including financial, contracts, database and other documents” containing Social Security numbers and other personal information about teachers and students.


To decrypt the files and prevent attackers from publishing the info online, the group demanded a ransom of $40 million. They told the official that their research revealed that the school district had revenues of $4 billion, justifying their demand.

To no surprise, the Broward County official responded with confusion and shock. “You cannot possibly think we have anything close to this!” the official said, according to the screenshot.

For its part, the district does not plan to pay up, it said.

“[Broward County Public Schools] is continuing to work with cybersecurity experts to investigate the incident and remediate affected systems,” the district told Threatpost in a statement. “Efforts to restore all systems are underway and progressing well. We have no intention of paying a ransom.”

Difficult Education Sector Economics

To be fair, Broward County Public Schools, with 271,000 students, is the nation’s sixth-largest school district and does have an annual budget of about $4 billion. However, the ransom demand still shows that “this particular threat actor group is woefully underinformed,” said one security expert.

Even with that kind of revenue, a public school district still would not have the kind of capital on hand to pay so much money to hackers, Chloé Messdaghi, founder of global ethical hacker community WeAreHackerz, said in an email to Threatpost.

“U.S. school districts may appear to some have large budgets, but almost all of those budgets are committed to ongoing expenses that are deeply and contractually committed,” she explained. “There’s little to no discretionary budget, and even core resources are underfunded.”

Indeed, though ransomware groups often ask for ransoms in the millions, the amount demanded from the school district is extremely high, even for the Conti Gang. In November, for instance, the group attacked chip manufacturer Advantech, demanding the bitcoin equivalent of $14 million from the company, which reported more than $51 billion in revenue for the fiscal year 2020.

The unrealistic demand also demonstrates that the threat actors behind Conti Gang are clearly not from the United States, or they would probably know how the finances of public school systems work, Messdaghi said.

Asking for such a large sum from the district also shows “the worst of criminal intent — especially at a time when schools are struggling to sustain education in the midst of the pandemic, while taking on the added missions of reaching those kids suffering from food insecurity and unsafe home lives,” she said.

Student Data Not Impacted

Upon discovering the “service disruption, which impacted the availability of certain systems” on March 7, Broward County Public Schools immediately began to investigate with the help of a cybersecurity firm, according to a post on its website.

Officials did originally offer to pay $500,000 to attackers, according to a published report. Upon this offer, the Conti Gang ended negotiations, according to the report.

Officials told Threatpost that they were not aware of any student or employee personal data that was compromised in the incident, but would make the necessary disclosures if this turned out to be the case.

“At this point in the investigation, we are not aware of any student or employee personal data that has been compromised as a result of this incident,” the district told Threatpost. “If the investigation uncovers any compromised personal data, the District will provide appropriate notification to those affected. No additional information is being shared to protect the integrity of the ongoing investigation.”

The school district is continuing to determine the scope of the incident as well as to restore its systems to complete functionality while law enforcement investigates the attack.

Education Under Increasing Ransomware Attack

Educational institutions are among the public entities that have fallen victim to an epidemic of attacks by ransomware gangs in the last year. Last September, a ransomware attack on California’s Newhall School District in Valencia affected all distance learning across 10 different grade schools. That same month, the Clark County School District, which includes Las Vegas, was crippled by a ransomware attack by the Maze gang; data stolen from that attack turned up on an underground forum later that month.

Meanwhile, last summer alone, four different universities fell victim to the NetWalker ransomware gang, according to tallies from Avira: The University of Utah (which paid almost half a million dollars); Columbia College in Chicago (ransom status unknown); Michigan State University (no ransom paid); and the University of California San Francisco (which paid $1.14 million).

“Ransomware groups are continuing with the trend of data theft in addition to encryption,” Eddy Bobritsky, CEO at Minerva Labs, said via email. “Devious ransomware operators understand that they can gain an edge in ransom negotiation by threatening not only to lock corporate data, but to leak it as well. Virtually all big ransomware groups have started leak sites where stolen data is published and unpaying victims are shamed.”

He added, “This is just another case demonstrating the major problem of Ransomware attacks that are increasing more and more. It doesn’t matter if you are public school, a contractor dealing with sensitive military data, or a small business with personal client data, they are all targets for this kind of attacks.”

This article was updated at 3:30 p.m. ET with statements from Broward County Public Schools.

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.