School System Targeted by Ransomware

Written By Megan Coleman

< Back to Case Studies

Lesson in Resilience: How a School System Recovered from Ransomware

Overview

A K-12 school system suffered a ransomware attack that encrypted student and faculty systems and grading portals. The attack disrupted access to attendance records, class schedules, and parent-teacher messaging tools, causing confusion and disruption for thousands of students, staff, and families.

Challenge

The ransomware group targeted the district’s centralized student information system (SIS), blocking access to academic records, special education files, and administrative systems. Teachers couldn’t take attendance, administrators couldn’t access student health or discipline logs, and parents were left in the dark. With school still in session, recovery needed to occur quickly and securely.

PNG Cyber’s Response

Remote Collection and Threat Intelligence

The school system had an IR plan and IT staff, but felt they needed additional expertise to ensure the proper recovery from ransomware. PNG Cyber was selected for our uniquely refined remote collection and remote recovery methodologies. Within hours, our team was able to collect logs and artifacts, triage, and begin forensic analysis. In parallel, our threat intelligence experts confirmed the ransomware variant, identified the threat actor group, and analyzed their known tactics, techniques, and procedures (TTPs). We immediately began dark web monitoring to identify any signs of client data exfiltration or chatter related to the attack. Using this threat intelligence, we developed a containment, eradication, and remediation strategy tailored to the specific threat. Our experts also initiated threat actor communications to gather further intelligence and explore negotiation options on behalf of the client.

Containment and Eradication

Within hours of being on the case, we were able to successfully contain the infected servers and eradicate any remaining threats.

Stakeholder Communication and Support

Throughout the engagement, we communicated with the client, carrier, and counsel to enable public communications.

Results

  • Rapid incident response and containment of ransomware.

  • Successful restoration & recovery of systems, including SIS, within one week.

  • Avoided the need for any ransom payment.

  • Delivered detailed forensic findings and root cause analysis.

  • Identified critical technology and procedural gaps, including deficiencies in multi-factor authentication (MFA) enforcement.

  • Provided cyber maturity roadmap with prioritized recommendations to minimize future risks.

  • The district adopted PNG’s post-incident recommendations, including annual Tabletop exercises and advanced endpoint threat monitoring services to minimize risks.

 
Megan Coleman

Megan is a Squarespace web designer located in Sugar Land, Texas, serving nonprofits, churches and small businesses.

Previous

Insider Threat at a Global Financial Services Firm
Next

Ransomware Recovery at a Hospitality Venue