In April, Illinois Valley Community College’s servers shut down. It happened soon after COVID-19 closed down the campus and shifted classes online. Hackers locked the college out of its own networks. That caused its website and email system to crash.
In the directory where files should be, the hackers left a message demanding cash for ransom.
“They didn't give any specifics. They just basically said, ‘We encrypted your stuff. If you want it back, email us at this address,'” said IVCC Director of Technology Services Chris Dunlap.
The college’s administrators decided to not respond to the message. Instead, Dunlap said, they hired outside consultants who unlocked their servers before online classes could be disrupted.
“We were able to recover most of our data and our major servers that contained all the student information and course registration and that kind of stuff.”
In the months since the ransomware incident, IVCC has had to rebuild and reinforce its security systems. The college invested in backup strategies for its servers. And IVCC President Jerry Corcoran said the school is still working with consultants on forensic analysis.
“I think the safe answer is there isn't anything that's 100% conclusive at this point -- only that somebody was able on the outside to gain entrance into the system,” said Corcoran. “But there isn't anything we could say with 100% certainty as to what data ended up being extracted.”
Following the initial attack, IVCC issued a press release and sent messages to its staff with security tips. Those included information on how to place fraud alerts and security freezes on a credit file, while stating the school had “no evidence any data had been misused.”
Fast forward to this month. Brett Callow reached out to WNIJ after seeing an article about the initial attack. He’s a threat analyst at Emsisoft, a cybersecurity solutions company that makes anti-malware & anti-virus software.
Callow said Illinois Valley’s data did leak online. That includes, he said, “bank records, budget calculations, scanned documents and photos of its employees.”
“It's actually extremely difficult to tell what happened during these incidents. Systems are obviously totally scrambled, or criminals may have taken steps to obscure what actions they actually took,” said Callow. “It’s like walking into your house that’s been trashed by burglars and trying to work out as what exactly was stolen. That's far from easy.”
Sibin Mohan is a research professor in the computer science department at the University of Illinois Urbana-Champaign. He researches security: not so much how to prevent attacks, but how to mitigate damage.
He said it’s hard to say why exactly the cybercriminals held on to the data for so long before leaking it.
“It could just be they may have been analyzing these records for the last few months trying to hack somebody else whose name is there or try to get some money from other people,” said Mohan.
Since they didn’t receive their ransom, they could also just want to be as disruptive as possible and make it available.
But, why Illinois Valley Community College? Gang Wang is a professor of computer science at the University of Illinois Urbana-Champaign. His research focuses on data mining, security and privacy. He said schools are easy targets. And hackers are looking for two things: sensitive data and organizations that may not be as well protected.
“That sort of combination usually goes to local hospitals or local universities where there's an enormous amount of valuable data, but their security protection might not be up to the game compared to large companies,” said Wang.
Researcher Sibin Mohan said it’s also important for the college to assume that there’s more data leaked than what was just published.
“Bank records are quite telling in the sense that they can they tell you what the transactions are, who you're transacting with. And depending on how you use that information, you might be able to hack other people's records,” said Mohan.
He said any data dump is bad, but, there could be a small silver lining. Now their forensics specialists have a better idea of exactly what data was taken and who to contact.
Educational institutions are an increasingly common target of ransomware attacks. According to Emsisoft, at least 89 colleges and universities were affected in 2019. And, by June of 2020, at least 30 were attacked.
The University of California at San Francisco recently paid over $1 million in ransom in exchange for the school’s confidential information.
Mohan said for smaller schools like IVCC, it’s still a big problem because they deal with so many people, vendors, contractors and other businesses.
“Unfortunately, they have to do a serious overhaul with everything, everybody they work with. They have to warn everybody because you could have potentially been compromised,” he said. “It’s a lot of legwork, unfortunately, but it has to be done.”
The college is still holding many of its classes online. But, the IVCC faculty union recently said at a board meeting that the school still doesn’t have an academic events calendar or online course catalog.
Illinois Valley’s IT director Chris Dunlap said that also has to do with the lingering effects of the ransomware.
The faculty union’s president wonders how many students gave up when they couldn’t find a list of current classes. It’s yet another possible ripple effect of the attack.