ATHENS, Texas — One day after voting to pay a ransom to recover data stolen in a cyber attack, Athens ISD said Friday most of the data was recovered. The district also said it did not pay any of the ransom money.
The district became aware of the attack on Tuesday. The criminals ordered the district to pay $50,000 to recover the encrypted data. Though the district voted to pay the ransom, which they negotiated to $25,000, the district's IT department, aided by cyber response teams, found an backup that was not compromised by the attack.
“It felt incredible,” reports AISD Technology Director Tony Brooks, who has worked nearly round the clock since discovering the attack. “The Skyward database is the most important one we have.”
“Though the payment was approved, we never stopped trying to find a solution,” said AISD Superintendent Dr. Janie Sims. “The board deserves credit for recognizing how dire the loss of data would have been to our district, requiring months to rebuild, delaying the school year significantly, and ultimately costing us much more than the ransom amount.”
Skyward is back online for student registration. The school still plans to begin classes on Aug. 10.
The district is putting in protocols to prevent further attacks. The district said all employees must wipe their hard drives and reinstall their software.
“We’ve built a new domain controller and recovered Skyward, but we have a lot of work left to do," Brooks said. "Everything will be brand new when we’re done. We have to make sure all the data is clean. We won’t be able to recover data from employees’ individual computers. We’ll have to go to every computer in the district and install new hard drives.”
Athens ISD said there is no evidence that data was removed by the criminals and no one's personal information was taken.
“Mr. Brooks deserves a massive amount of credit for his efforts and professionalism,” said Sims. “He worked tirelessly. And we’re also grateful for the ongoing assistance from the Region 10 Educational Service Center, Fortinet, and the Center for Internet Security.”
The virus that compromised the district's server, identified as COVID4YOU, originated overseas and appears to be new.