Ransomware attack on FinalSite still disrupting email services at thousands of schools

Education technology company FinalSite is still in the process of recovering from a devastating ransomware attack that crippled many of the services they provide to thousands of schools across the world this week. 

In an update on Friday morning, the company said the "vast majority" of its sites are back up and running on the front end but many systems are still facing a variety of issues.

They urged their customers -- which include thousands of schools across 115 different countries -- to limit "software usage to critical information updates for your front-end" until they have confirmed that all functionality is working fully. 

"Examples of usage to avoid include sending email/notifications, workflows, relying on calendar and athletic alerts, uploading data etc," the company said. 

While some front end systems are back, FinalSite said some styling may be missing and users may not be able to access the admin side of their site. Many users will continue to see 503 errors, according to FinalSite. 

The company first informed customers of issues on January 4 and said its engineers have been working around the clock to resolve the issue. By Thursday, the company admitted that it was suffering from a ransomware attack.

"We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated," they wrote in a message to customers. 

"In the ensuing time since the incident, our security, infrastructure, and engineering teams have been working around the clock to restore backup systems and bring our network back to full performance, in a safe and secure manner. Third-party forensic specialists are assisting us in bringing things back slowly and carefully to ensure the environment is safe and stable."

One Reddit user said about 2,200 school websites hosted by Finalsite began to go down on January 4.  

"Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol," the user wrote. "The impact of this outage is far greater than the attention it has received."

A FinalSite spokesperson later told TechCrunch that about 5,000 of their 8,000 customers were affected by the ransomware incident. Local news outlets across the US reported school districts having issues with their websites. 

Another school administrator contacted Bleeping Computer to report that their website was down, forcing them to contact parents about the outage. They were told that there is no timetable for services to return to normal.

Some schools took to Twitter to inform students and parents about website outages, noting to the public that their websites were down because of the ransomware attack on FinalSite. 

Former FBI analyst Crane Hassold likened the attack to the ransomware incident that affected Kaseya and said it illustrated the domino effect ransomware can have on other companies.

"When a company that provides solutions for other companies gets hit with ransomware, similar to what we saw with Kaseya last summer, the resulting impact can be exponentially devastating," said Hassold, who now serves as director of threat intelligence at Abnormal Security. 

"In the current environment, when COVID is peaking again and many schools are switching to temporary remote learning, this attack couldn't have come at a worse time."