A leading international website services provider, FinalSite, recently suffered a dedicated ransomware attack. The malicious strike has result in disrupted access to thousands of school websites across the globe.

A software as a service (SaaS) company, FinalSite provides web hosting, website design, and content management systems for universities and school districts. According to the provider, it now offers its services to more than 8,000 universities and schools in over 115 countries.

Identifying an incident

The first indication of an issue came when school districts hosting their websites through FinalSite discovered that they could no longer reach their online platforms, on which error messages were appearing.

At first, FinalSite gave no information stating that it had been attacked. Instead, it commented that it was experiencing performance issues and errors across multiple services, but mainly in its content management system called “Composer”.

A status page on FinalSite’s website stated:

“This impact may include, but is not limited to, Groups Manager, Constituent Manager, Login, Forms Manager (old), Registration Manager, Directory Elements, Athletics Manager, Calendar Manager.”

IT administrators were unable to receive a fixed time frame of when services might be restored from FinalSite and took it upon themselves to contact parents via email explaining the outage and apologising.

Impact of an attack

Service disruption continued for three days, after which FinalSite stated that it had been the victim of ransomware attack and that this was the cause of the outages.

The school website service provider apologised:

“We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organisations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated.”

It stated that its security team that monitors the FinalSite network around the clock first identified ransomware present on the systems on January 4, adding:

“We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists and began proactively taking certain systems offline.”

Ransomware gangs are increasingly focused on attacking enterprises and authorities within the educational sector, and service providers are an even more attractive prospect for threat operators. Thriving on causing chaos, cybercriminals exploit the necessity of educational services being supplied, using disruptions as leverage against their victims. In the case of ransomware, this means forcing them into paying demanded sums in return for the release of vital systems and data.

Brett Callow, leading threat analyst for Emsisoft recently commented that in 2021, 87 incidents were recorded aimed at disrupting learning at approximately 1,043 different schools. He stated that although school districts were not necessarily possessing an abundance of financial resources, many have cyber insurance that enables them to pay demands when attacked. Having this cover in place can make them suitable targets for threat operators looking for victims who can pay.

It is not yet known what data may have been stolen during the recent ransomware attack or who the operators were behind it.

Galaxkey’s protection solution will give your network and data the safety that you need, and you can contact our team to arrange a free 14-day trial.