Over the weekend, Fairfax, Va. County Public Schools, the 10th largest school district in the country, was hit by Maze ransomware, resulting in an apparent leak of student and faculty data, just days after previous attacks on these two other school systems.

According to the Fairfax County Public Schools, the cyberattack did not disrupt the distance learning program during the first week of school. The schools continue to work with the FBI and cybersecurity consultants to investigate the nature, scope and extent of any possible data compromise. 

If it is determined in the course of the investigation that personal information has been compromised, the Fairfax County Public Schools will take steps to notify affected individuals as appropriate, says the district. 

InfoSecurity Magazine reports that the hacking group Maze claimed to have carried out the ransomware attack: "As proof of the attack, the threat actors have uploaded a zip file of data they claim was exfiltrated from the school system. At time of publication, Maze had published just 2% of the data they claim to have swiped from Fairfax County Public Schools." 

Maze, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura[1, McAfee telemetry says. The main goal of the ransomware is to crypt all files that it can in an infected system and then demand a ransom to recover the files. However, the most important characteristic of Maze is the threat that the malware authors give to the victims that, if they do not pay, they will release the information on the Internet[2]. This is a behavior increasingly observed in new ransomware[3], such as Sodinokibi, Nemty, Clop and others.

Chester Wisniewski, Principal Research Scientist at Sophos, believes that this string of attacks can be linked to a new trend from ransomware gangs in which they amplify their efforts by attempting to apply more pressure on their victims when they are most vulnerable such as a school district resuming classes under a plethora of new protocols.

"With the news that Fairfax County public schools in Virginia were hit with ransomware in the first week of the new school year, a series of unfortunate incidents is no longer random, but appears to be a pattern. First, we heard a similar tale from Hartford, Connecticut followed by Toledo, Ohio around the same time as Fairfax," says Wisniewski. "Twice might be a coincidence, but I fear we are seeing a new trend in ransomware gangs sharpening their tools to attempt to apply more pressure on their victims. Over the past 12 months we have seen continued advancement in both technical and social techniques to extract a pound of flesh from victims and striking at the worst possible time appears to be the latest in their bag of tricks. Hitting schools at the start of the school year certainly applies additional pressure to get back online, and we may see similar targeting around high pressure times such as election day or the upcoming Christmas shopping holidays."

"Of course, Hartford steadfastly refused to negotiate or even ask what the ransom amount was and went about their business of recovering their systems. Let's hope we hear the same from Ohio and Virginia. The crooks aren't the only ones who can be trendsetters, we can too. By not giving in to their extortion demands we can put an end to this whole 7 year saga," concludes Wisniewski.