PowerSchool's Ransom Aftermath: A Deeper Look at the Follow-Up Extortion Attempts

A recent letter from PowerSchool to its customers highlights the complex aftermath of their December 2024 cybersecurity incident - some districts are now facing direct extortion attempts from a threat actor, linked to the attack on PowerSchool in December.

The letter acknowledges the inherent risk in paying a ransom: that the malicious actors might not delete the stolen data as promised. This risk appears to have materialized for some customers now facing direct extortion attempts. While PowerSchool states they do not believe this is a "new incident," the emergence of direct extortion attempts targeting customers is a significant and concerning development.

The nuance of “a threat actor” vs. “the threat actor”

One particularly interesting aspect of the letter is the phrasing used to describe the party now attempting extortion. PowerSchool refers to "a threat actor" rather than "the threat actor". Why is this specific wording to important? There could be several strategic reasons for referring to “a” threat actor, each with different implications for the security of student and parent data. PowerSchool mentioned that this is not a new incident and there seems to be enough evidence to point to a connection to the December incident, however there are still three possible scenarios.

Scenario 1: Data Sale/Transfer

One possibility is that the data stolen in the original breach was sold or transferred to a different threat actor. This is unfortunately common, with stolen data often appearing for sale on dark web forums and marketplaces. While the extortion letters were signed by a known threat actor, the identity of the original group who attacked PowerSchool is still not publicly known. If the stolen data has indeed changed hands, it could represent a worst-case scenario, as it suggests that multiple copies of the sensitive information now exist, increasing the risk of repeated or widespread misuse.

Scenario 2: Opportunistic Actors

It's possible that a completely separate threat actor, aware of the PowerSchool breach and the potential for leaked data, is simply attempting to take advantage of the situation by contacting customers and claiming to possess their data. While PowerSchool’s letter seems to suggest a direct link to the December incident, it's conceivable that an opportunistic actor could use publicly available information about the breach and potentially even sample data from other unrelated breaches to craft convincing-looking extortion attempts. PowerSchool’s statement seems to point away from this, unfortunately, as it would arguably be the "best case scenario" for data security.

Scenario 3: Double Extortion

A final scenario is that the same threat actor who originally extorted PowerSchool did not delete the data as promised and is now directly extorting the affected districts. Many people criticized PowerSchool for paying the ransom in December as there are no guarantees when dealing with a cyber criminal - as some would say, their word is as sound as their morals. Any organization in that type of situation faces a difficult decision when asked to pay a ransom and this incident could demonstrate why security experts typically recommend that organizations & companies resist the temptation to pay a ransom.

What’s next?

Regardless of which scenario is playing out, the situation remains uncertain and challenging for both PowerSchool and the affected school districts. PowerSchool's careful phrasing using 'a threat actor' is likely a deliberate choice. It allows them to avoid making a definitive statement about the identity or direct connection of the current extortionist to the original breach group. This distinction could be crucial in potential future legal proceedings where the impact of the initial attack will be a key discussion. Additionally, PowerSchool's confirmation that this activity stems from the original attack helps control the narrative, preventing speculation about a completely separate, new breach that would be far more damaging to their reputation.

In the murky world of cyber crime, tracking the exact flow of stolen data and identifying the parties involved is important. Each scenario will create a different path, whose outcomes mean very different things for the victims of this unfortunate incident. PowerSchool is likely being careful not to make definitive claims they cannot absolutely verify, underscoring the complexities of these investigations. This also demonstrates how cyber attack recovery is a delicate balance of information and communication, emphasizing the need for careful coordination between security & communication teams.

If you’d like to learn more about this incident, I recommend listening to our interview with Mishka McCowan, Chief Information Security Officer at PowerSchool about his firsthand experience.

Tips for School Districts Receiving Threat Actor Outreach

For school districts contacted by a threat actor claiming to possess breached data, a calm and strategic response is essential. Here are a few key tips:

1. Do Not Engage Directly: Avoid negotiating or communicating extensively with the threat actor. Any communication should be carefully considered and ideally guided by legal counsel and cybersecurity experts.

2. Preserve All Evidence: Do not delete any emails, messages, or files received from the threat actor. Document the date, time, and content of all communications.

3. Notify Relevant Parties Immediately: Inform your internal IT department, legal counsel, and leadership team. If the data is related to a vendor breach (like the PowerSchool incident), notify the vendor as well.

4. Contact Law Enforcement and Relevant Authorities: Report the incident to federal law enforcement (like the FBI in the US) and any relevant state or local authorities responsible for cybersecurity or data privacy.

5. Consult with Cybersecurity Professionals: Engage with experienced cybersecurity firms who specialize in incident response and extortion cases. They can help assess the validity of the threat, analyze the data (if any is provided), and guide your response strategy.

6. Review and Strengthen Security Measures: Regardless of the outcome of the extortion attempt, use this as an opportunity to review and enhance your district's cybersecurity posture, including access controls, data encryption, and employee training.

Responding effectively to such threats requires a coordinated effort involving internal teams, external experts, and law enforcement. Prioritizing preservation of evidence and seeking expert guidance are crucial first steps.