The hackers were hunting for vulnerable computer systems and in mid-March they found a mark: the Leominster public schools.
With their system locked down by a ransomware attack that encrypted data and froze e-mails, Leominster school officials said they had no choice but to pay $10,000 to a suspected ring of international hackers.
The relatively small-scale attack is an example of a growing threat to municipal bodies and small organizations from so-called ransomware, which is a type of malicious software that hackers use to hold vulnerable systems hostage. Ransomware was used in spectacular worldwide attacks such as the 2017 "WannaCry" bug that hit workplaces and users across the globe. But researchers say there have been a steady stream of less-noticed incidents such as the one in Leominster.
"The target has changed," said Ross Rustici, senior director of intelligence services at the Boston cybersecurity startup Cybereason. "Municipalities are really the low-hanging fruit . . . because they don't have the cybersecurity budgets that corporations do."
Though WannaCry triggered concern around the world, a computer programmer in England discovered a "kill switch" that significantly slowed the spread of that malware.
A ransomware attack laid low Atlanta's entire computer system for six days in March, preventing the city from conducting even the most basic business, such as collecting for parking tickets and other bills. And a ransomware assault hit Baltimore's 911 dispatch system around the same time.
Such attacks can come through infected files or attachments, or through incursions into a computer system. In Leominster, interim police chief Michael Goldman said the hackers likely found their way into the school department's computers through an open port, the digital equivalent of an unlocked door.
He said the case should serve as a reminder to communities and other organizations to assess their vulnerabilities. "Protect yourself," Goldman said. "If you're a company or a municipality, make sure your IT company is protecting you properly."
Interim Leominster superintendent Paula L. Deacon said the attack happened April 14.She contacted Goldman, who said he determined that there was not much he could do. He counseled Deacon to pay up.
"Most of these are international attacks, and they're coming from overseas," Goldman said.
Officials did not say when they made the payments, which was made to a bitcoin digital currency account, making it nearly impossible to trace the hackers.
On Monday, IT crews in Leominster were working to get the system back online. Deacon did not respond to requests for further comment.
"Thank you for everyone's patience while LPS and the city feverishly worked through some very difficult technology issues these last couple of weeks!" said a Facebook post by the Leominster public schools.
Leominster school officials reported the incident to the FBI, which declined to comment. But the agency said in a statement that its Boston office gets about one report about ransomware each week, and many more are not reported.
"The threat of ransomware is growing and evolving. The number of ransomware reports is increasing, and we're seeing different kinds of ransomware, different deployment methods, and coordinated distribution," the FBI said.
Many antivirus companies offer programs that block ransomware attacks, and some firms also provide off-site backup for important files that might be held hostage in the event of attack. Cybereason makes RansomFree, no-cost software that looks for and blocks such threats, and Rustici said organizations should also be looking for security risks like open ports.