Finalsite Ransomware Attack
The first update on January 4 reads:
We are currently investigating an issue leading to increased error rates and performance issues across our legacy modules, and our team is investigating a fix as a critical priority. We’ll provide additional updates as soon as we have them..
Subsequent updates mention Cloudflare error messages and specific software being impacted, such as Groups Manager, Constituent Manager, Login, and others. By January 6 the team mentions ransomware as the culprit:
On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment. We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists, and began proactively taking certain systems offline.
Working with third-party forensic specialists, the team was able to regain full access to its files and data, and a forensic investigation remains ongoing. Since then, the team has been working to restore connectivity to school websites, such as reducing 502 “Oops” errors.
Finalsite spokesperson Morgan Delack told TechCrunch that 5,000 of its total 8,000 customers around the world were affected. These include schools in Kansas City, Illinois, and Missouri. Finalsite purposely took the websites offline as a means of protection, and it is rebuilding its system from scratch in a clean environment. “The malware issue is not what caused sites to go down — we took them down to protect our client’s data.”
The company says it has no evidence that data was compromised. The type of ransomware used remains unknown, as well as how the attackers accessed Finalsite’s system.