FinalSite Disrupted by Ransomware – Attack Shuts Down Thousands of School Websites
FinalSite, a leading school website services provider, has suffered a ransomware attack disrupting access to websites for thousands of schools worldwide.
FinalSite is a software as a service (SaaS) provider that offers website design, hosting, and content management solutions for K-12 school districts and universities. FinalSite claims to provide solutions for over 8,000 schools and universities across 115 different countries.
On Tuesday, school districts that hosted their websites with FinalSite found that they were no longer reachable or were displaying errors.
At the time, FinalSite did not disclose that they had suffered an attack but simply said that they were experiencing error and “performance issues” across various services, affecting mostly their Composer content management system.
“This impact may include, but is not limited to, Groups Manager, Constituent Manager, Login, Forms Manager (old), Registration Manager, Directory Elements, Athletics Manager, Calendar Manager,” reads the FinalSite status page.
A school IT administrator told BleepingComputer that FinalSite did not provide them with a time frame as to when services would be restored and were forced to send emails to parents alerting them of the outage.
“Our website is currently down due to an issue that our service provider is experiencing. We apologize for any inconvenience this may cause you,” read an example outage email shared with BleepingComputer.
In addition to the website outages, a system administrator shared on Reddit that the attack prevented schools from sending closure notifications due to weather or COVID-19.
“Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol,” explained the Reddit post.
Outages caused by a ransomware attack
After three days of disruption, FinalSite confirmed today that a ransomware attack on their network is causing the outages.
“We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated,” FinalSite apologized in a status update today.
“The Finalsite security team monitors our network systems 24 hours a day, seven days a week. On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment.”
“We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists, and began proactively taking certain systems offline.”
However, in a template created by FinalSite that schools can send to parents, there is no mention of the ransomware attack, and just that FinalSite is experiencing a “disruption of certain computer systems on its network.”
Morgan Delack, the Director of Communications for FinalSite, told BleepingComputer that they proactively shut down their IT systems to prevent the spread of the attack, which led to approximately 5,000 school websites going offline.
“It’s important to note that the malware did not shut down our systems – we proactively did so immediately upon learning of what happened in order to protect and secure our data. In doing so, we took approximately 5,000 school websites offline in order to rebuild them in a new, safe environment,” Delack shared in a statement.
While Delack could not share the name of the ransomware operation due to ongoing investigations, BleepingComputer was told that there is no evidence of data being compromised, and they are continuing to investigate with a third-party cybersecurity firm.
As most enterprise-targeting ransomware operations steal data before encrypting, we will likely learn in the future if data was accessed in a future update.
Education is a popular target
School districts and universities have become a popular target for ransomware operations over the years.
This is especially true for K-12 school districts with very limited funding and thus tend to have smaller support teams and less security infrastructure to detect imminent attacks.
“While school districts may not be flush with cash, the fact is that many carry cyber insurance and so can afford to pay demands – and that puts them in the crosshairs”, Emsisoft threat analyst Brett Callow told BleepingComputer.
“Last year, 87 incidents disrupted learning at as many as 1,043 individual schools. In 2020, 84 incidents disrupted learning at 1,681 schools. The fact that the average size of the impacted districts has decreased could indicate a correlation between budget size and (in)security level.”
“The bigger the district, the bigger the security budget and the better the security that’s in place.”