FinalSite ransomware attack shuts down thousands of school websites

FinalSite, a leading school website services provider, has suffered a ransomware attack disrupting access to websites for thousands of schools worldwide.

FinalSite is a software as a service (SaaS) provider that offers website design, hosting, and content management solutions for K-12 school districts and universities. FinalSite claims to provide solutions for over 8,000 schools and universities across 115 different countries.

On Tuesday, school districts that hosted their websites with FinalSite found that they were no longer reachable or were displaying errors.

At the time, FinalSite did not disclose that they had suffered an attack but simply said that they were experiencing error and “performance issues” across various services, affecting mostly their Composer content management system. 

“This impact may include, but is not limited to, Groups Manager, Constituent Manager, Login, Forms Manager (old), Registration Manager, Directory Elements, Athletics Manager, Calendar Manager,” reads the FinalSite status page.

A school IT administrator told BleepingComputer that FinalSite did not provide them with a time frame as to when services would be restored and were forced to send emails to parents alerting them of the outage.

“Our website is currently down due to an issue that our service provider is experiencing. We apologize for any inconvenience this may cause you,” read an example outage email shared with BleepingComputer.

In addition to the website outages, a system administrator shared on Reddit that the attack prevented schools from sending closure notifications due to weather or COVID-19.

“Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol,” explained the Reddit post.

Outages caused by a ransomware attack

After three days of disruption, FinalSite confirmed today that a ransomware attack on their network is causing the outages.

“We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated,” FinalSite apologized in a status update today.

“The Finalsite security team monitors our network systems 24 hours a day, seven days a week. On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment.”

“We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists, and began proactively taking certain systems offline.”

However, in a template created by FinalSite that schools can send to parents, there is no mention of the ransomware attack, and just that FinalSite is experiencing a “disruption of certain computer systems on its network.”

It is not known what ransomware gang conducted the attack on FinalSite and whether data was stolen as part of the attack.

As most enterprise-targeting ransomware operations steal data before encrypting, we will likely learn that data was accessed in a future update.

BleepingComputer has contacted FinalSite with further questions about the attack but has not received a response.

If you have first-hand information about this attack or other cyberattacks, you can confidentially contact us on Signal at +16469613731, Wire at @lawrenceabrams-bc, or Jabber at [email protected].

Education is a popular target

School districts and universities have become a popular target for ransomware operations over the years.

This is especially true for K-12 school districts with very limited funding and thus tend to have smaller support teams and less security infrastructure to detect imminent attacks.

“While school districts may not be flush with cash, the fact is that many carry cyber insurance and so can afford to pay demands – and that puts them in the crosshairs”, Emsisoft threat analyst Brett Callow told BleepingComputer.

“Last year, 87 incidents disrupted learning at as many as 1,043 individual schools. In 2020, 84 incidents disrupted learning at 1,681 schools. The fact that the average size of the impacted districts has decreased could indicate a correlation between budget size and (in)security level.”

“The bigger the district, the bigger the security budget and the better the security that’s in place.”