A school district in North Carolina intends to spend $314,000 on rebuilding more than a dozen servers affected by a malware attack. On 27 December 2017, the board for Rockingham County School District held an emergency meeting and voted 7-1 to approve a 12-month, $314,000 service contract with Georgia-based technology solutions provider ProLogic ITS. The contract, which is currently pending review, will give 10 Level 3 and 4 engineers at ProLogic the necessary funding to rebuild 20 servers after the school district suffered a malware attack. It will also cover virus mitigation services offered by the provider, including on-site imaging for 12 servers and 3,000 client systems. Greensboro News & Record reports that the monies, which will come out of the school's unrestricted fund balance of approximately $5 million, will cover a total of 1,200 onsite repair hours. It's estimated the cleanup won't take longer than a month. According to WMFY, the malware infection occurred on 11 December 2017 when employees at Bethany Elementary, Western Rockingham Middle School, and the district's Central Office opened an "incorrect invoice" email that appeared to come from Rockingham County School District's antivirus provider. The emailed used that lure to trick the employees to click on a Microsoft Word document containing Emotet, a trojan which injects itself into the networking stack and software modules of an infected machine. From those locations, the malware can steal financial and personal information, perform distributed denial-of-service (DDoS) attacks on other systems, and distribute additional banking trojans. Tech Scout's Kent Meeker is familiar with Emotet and says the malware is difficult to remove from an infected server. As he told WMFY in a separate article:
So if you click on something that you shouldn't or didn't know about it can immediately load that onto your system, and if you don't have the right virus protection, or malware protection, it will get right through and just kind of live on the machine. It may lay dormant for a while before it activates itself, and starts doing crazy stuff. This seems like something that probably, hopefully should have been caught and now this is the repercussions of that. They are going to have to go in and rebuild all of these machines, all of these servers to get rid of it because once it is embedded in the system, it is really rough getting it out. Now, I think they are just doing everything they can to get rid of it. It is not a small deal, but it is rectifiable. It always is.
Three days after the infection occurred, the school's administrative office received reports of machines not being able to connect to the school's network. This prompted officials on 19 December to order that teachers and staff leave their computers behind during the winter break. The school district then worked to try to clean up the virus over the holidays. Rockingham County School District's administration has said the malware attack didn't expose any data. https://twitter.com/EricaReportsAll/status/948255757216239616 Kacey Sensenich, CTO at the district, rearticulated those thoughts for Greensboro News & Record:
There is no concern when it comes to financial data in Rockingham County Schools. That is all secure. None of that was compromised. The worst thing that we've had happen is it was able to grab people's email and their login information and then re-spam out. We asked people to change their password. …As far as data, personnel records, all those horror stories you have, at this time we have no evidence of that [being compromised] and the security team is helping validate for us.
The $314,000 contract will cover the costs of rebuilding 20 of the school district's severs. Even so, Rockingham will need to also pay for the replacement of teacher devices affected by the malware. Superintendent Dr. Rodney Shotwell says that amount could be as much as $834,000. News of this attack follows several months after ransomware attackers demanded $19,000 from a California school district for a decryption key that would unlock its encrypted data.