Finalsite ransomware attack forces 5,000 school websites offline

Finalsite, an internet software house that provides school districts with website design, hosting, and content management solutions, has been hit by a ransomware attack.

Earlier this week, school districts whose websites are hosted by Finalsite discovered that they were no longer accessible or displayed errors. While at the time Finalsite blamed the issues on “performance difficulties” across different services, the Glastonbury, Conn.-based company has since confirmed the outage was caused by ransomware.

“On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment,” the company said in a statement. “We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists, and began proactively taking certain systems offline.”

Finalsite spokesperson Morgan Delack told TechCrunch that 5,000 of its total 8,000 global customers — including school districts in Kansas City, Illinois, and Missouri — are affected by the incident. In addition to website outages, one Reddit user claimed the incident also prevented some schools from sending email notifications about school closures due to COVID-19 outbreaks.

In its latest status update, FinalSite says the “vast majority of front-facing websites are online,” though notes that “some sites may still lack proper styling, admin log-in functionality, calendar events, or constituent directories.” One Finalsite customer, the Holy Ghost Preparatory School in Pennsylvania, said on Friday that while its website is back online, registration forms and our email system remain unavailable.

The Finalsite spokesperson said the company took its customers’ sites offline upon noticing a problem and rebuilt its system in a clean environment from the ground up. “That is why it is taking time to get everyone back online,” she said. “The malware issue is not what caused sites to go down — we took them down to protect our client’s data.”

It remains unclear how attackers gained access to Finalist’s systems, and it’s not yet known what type of ransomware was used in the attack. The company tells TechCrunch that it continues to work with a forensic specialist to complete a thorough investigation.

The company said there is “no evidence” that any data was taken as a result of the ransomware attack, but the spokesperson declined to say if Finalsite has the means — such as logs — to detect the exfiltration of data citing an ongoing investigation.

Educational institutions and their providers have become a popular target of threat actors since the start of the pandemic, which saw many to shift to online-based remote learning. Last September, for example, Washington, D.C’s Howard University was forced to cancel classes after falling victim to a ransomware attack.