Baltimore gets hit by ransomware again, the schools this time

Baltimore gets hit by ransomware again, the schools this time

All Baltimore County Public Schools closed Wednesday after the school system was hit with a ransomware attack, according to officials.

Baltimore County Public Schools superintended Dr. Darryl Williams stated:

“This morning, we decided to close all BCPS schools and offices in order to access and limit the impact of the attack.”

For those unfamiliar with the Baltimore City Schools organization, the attack affected some 175 schools, programs, and centers, over 115,000 students, and over 18,000 employees.

In May of last year a RobbinHood ransomware attack paralyzed Baltimore’s City government, shutting down online systems for paying water bills and other services.

Measures taken by Baltimore City Schools

Since the attack also took down the official website, management is providing updates over social media channels.

Via their Twitter account, Baltimore County Public Schools announced the schools and offices to be closed on Wednesday, November 25. Later they added Monday, November 30, and Tuesday, December 1, to focus on identifying and addressing student and staff device needs so that instruction can continue.

On their Facebook account they urged people not to log into BCPS devices or systems at this time. They also reassured the public that they are doing their best to address the ransomware attack. Local, state, and federal law enforcement agencies are investigating.

Also via Twitter they asked students learning virtually on Wednesday to only use City Schools-issued laptops or devices. Those without those issued devices were granted an excused absence. BCPS-issued Chromebooks were not impacted by the cyberattack.

The Teachers Association of Baltimore County is telling parents to leave computers off and not turn it on until they hear back from BCPS.

Superintendent Darryl Williams said there is no timeline for when school will resume. According to school officials, the network issue has affected the district’s website, email system and grading system. Until the problem is resolved, students will be unable to attend school.


The county police have been in contact with the FBI Baltimore field office. Baltimore County Police Chief Melissa Hyatt declined to provide any specifics of the criminal probe, since they still are in the preliminary steps of that investigation.

Hyatt did not reveal whether the authorities have communicated with the hackers and the school system said it has had no direct or indirect contact with the hackers.

While it is important to investigate ransomware attacks, most of these investigations may not lead to the apprehension of the attackers. They could, however, reveal how the attackers got in and whether they left any backdoors for future use behind.

Ransomware and education

The educational system and many of its elements are targets for cybercriminals on a regular basis. While education is a fundamental human right recognized by the United Nations, the financial means of many schools and other entities in the global educational system are often limited.

You’d think there are more profitable targets for cybercriminals than education. Technology and finance, for example, have exponentially bigger budgets that could be tapped into via large ransom demands. But cybercriminals are opportunistic: If they see an easy target ripe with valuable data, they’re going to take advantage. Why spend the money and time developing custom code for sophisticated attack vectors when they can practically walk through an open door onto school networks?

With some ransomware gangs now creating extra leverage by threatening to publish exfiltrated data, criminals may well see schools as an easy target—expecting them to pay the ransom through fear of finding students’ and teachers’ personally identifiable information (PII) published online.

The timing for an attack to take out the network information systems, could not have been worse while the school system continues to operate online only, with all in-person classes delayed, as a result of the coronavirus pandemic. Possibly these circumstances could have provided the way in for the attackers. Hopefully the investigation will reveal how it happened.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.