Ohio school sends students home because of Trickbot malware infection

TrickBot infections impacted, PC fleet, phone and HVAC systems.

TrickBot

An Ohio school district was forced to send students and some of its staff home on Monday after a malware infection caused major issues to its IT infrastructure.

But, surprise, surprise, the malware infection was not a ransomware attack, as most infosec experts would have expected, but a banking trojan.

More precisely, the malware that brought down the school district's IT systems is named Trickbot, according to a Facebook post published Monday by officials from the Coventry Local School District in Ohio.

Infected last week, but not by a student

Officials said they were infected last week, but only discovered the infection on Friday. Despite working to restore impacted systems, the school district's IT staff were not able to finish their recovery efforts over the weekend.

"Since we cannot guarantee that the necessary operating systems will be up and running tomorrow, it is in our students best interest and welfare to cancel school," said Lisa Blough, Coventry Local School District Superintendent.

In interviews with local media, Blough said the school didn't suspect any of its 2,000+ students for purposely infecting the school's network with Trickbot, and that "one of the first computers infected was in the treasurer's office."

TrickBot -- one of today's most dangerous malware strains

The FBI has been counseling the school district and helping with recovery efforts. In mid-March this year, the Department of Homeland Security sent a warning about an increase in TrickBot attacks.

The malware started as a banking trojan specialized in stealing credentials for banking portals, but shifted tactics in 2016-2017, when it was re-purposed into a multi-purpose malware platform.

Nowadays, TrickBot operators infect computers with their malware and often rent access to infected computers to the operators of other malware operations.

The Emotet banking trojan also uses this tactic as well. In recent months, many ransomware incidents have been tracked down to initial infections with either Emotet, TrickBot, or both.

Security researchers often warn that Emotet and TrickBot infections should be treated with the highest-priority because they can easily turn into more damaging attacks. For the vast majority of cases, the TrickBot crew uses spam email to infect victims.

Classes resumed today

It is unclear what happened on the Coventry Local School District network last week to force officials to shut down their IT network, but if we take Blough's word for it, it was pretty serious.

"It seemed like once one machine was infected, 10 more were right behind it," Blough told News5 Cleveland. "Soon the whole network essentially stopped functioning."

In a separate interview with the Akron Beacon Journal, Blough also said the malware brought down the school's phone and HVAC systems.

Contacted by ZDNet, a school spokesperson told us the school resumed classes on a normal schedule today but did not want to comment further on the attack. To recover from the attack, the school's IT staff reinstalled over 1,000 computers.

Related malware and cybercrime coverage: