Maze Ransomware Operators Claim Fairfax County Public Schools as Latest Victim

Fairfax County Public Schools (FCPS) is the latest US school division to be hit by a ransomware attack that disrupted some of its systems.

“We currently believe we may have been victimized by cyber criminals who have been connected to dozens of ransomware attacks in other school systems and corporations worldwide. We are coordinating with the FBI on the matter,” FCPS said in an official statement posted last Friday.

Although the notification does not provide additional information regarding the impact on its systems, Maze ransomware operators have claimed responsibility for the attack. The group leaked a series of FCPS files containing student information and administrative documents.

“At this time, our investigation of the issue is ongoing and we are working diligently to determine the impact of this incident on FCPS data,” the school district added. “We have retained leading security experts to help us determine the nature and scope of the incident and recover from the situation.”

However, on September 12, the school district posted a second security incident update that hints to the data leaked by Maze ransomware operators.

“FCPS continues to investigate the ransomware issue involving some of our technology systems,” the update reads. “We are taking this matter and concerns about the personal information of students, staff and their families very seriously. If it is determined in the course of our investigation that personal information has been compromised, we will take steps to notify affected individuals as appropriate.”

The school district also claims that the attack did not disrupt online classes, and no device or schedule changes are needed at this time.

Schools and educational institutions have become the most desirable and suitable candidate for ransomware operatives since the beginning of the pandemic. While most victims do not meet ransom demands, cybercriminals leverage the stolen data to maximize their profits. Just last month, the University of Utah agreed to pay nearly half a million dollars to prevent the public disclosure of student and employee information.