What happened in Des Moines schools' ransomware attack? Technology director tells all

Why it matters: Ransomware attacks nationwide are expected to get worse before they get any better, as professional criminal groups seek millions of dollars targeting critical infrastructure like hospitals and schools.

• The details behind the DMPS attack were shared in a Q&A with Heartland Business Systems earlier this year.

How it started: Irey was at home with their pregnant wife when they got a call from a network engineer saying: "Hey, just a heads up: we think something might be going on."

• "What we came to learn was that this was a massive, orchestrated, tactically engineered cyberattack against Des Moines Public Schools, one that sent shockwaves through the threat intelligence community due to the size and magnitude of the attack."

What happened: Within 90 minutes, the district decided to "pull the plug" and go offline, resulting in classrooms losing access to the internet and the school's network.

State of play: The attackers sought out data on student identities, which are some of the most valuable on the black market, due to their lack of credit histories, Irey said.

• The group of attackers, whose names Irey withheld during the Q&A, left a phone number for negotiations, but no one answered for two weeks. DMPS did not pay the requested ransom.
• School officials later learned this was the attackers' "swan song" and they broke up after the attack.

Zoom in: Trying to figure out the depth of the attack and how to respond to it became an all-in effort, involving the district's cybersecurity insurer, executive leadership and even the FBI.

• They worked together in a "war room" at a district building as it shaped up to be "one of the worst days ever," Irey said.
• Ultimately, some student data was compromised and school was canceled for two days in January until the systems could go back online.

The bottom line: The silver lining of the attack was the opportunity to redesign the district's network from the ground up and get rid of what was outdated.

• Rather than having a responsive relationship in the district, IT is now a part of the conversation, Irey said.
• The district invested $4 million into cybersecurity earlier this year.