Give us a call or fill out a contact form for a free consultation! 864-867-1600


The Illinois District’s IT infrastructure is designed to send text messages to IT employees when a server fails, but on Thursday night more than 1,000 Chicago public school employees were bombarded with a barrage of texts. In September, the Illinois Department of Education and the University of Illinois at Urbana-Champaign were confronted with a ransomware attack that spread through data center servers.

Barthel logged on to investigate, but many systems were already affected and he could not remotely reboot the servers, so he rushed to the data center to find that all server enclosures and critical applications were encrypted. About 85 of the 300 virtual servers were shut down in quick succession and Internet access shut down to contain the outbreak and prevent further encryption.

It took about a month for the situation to fully recover, but Barthel said it was decided that the schools would continue their normal timetable, with the exception of some special education programs. IT team secured the data until the district paid the ransom to regain access.



The district used the incident to strengthen its position in the cyber security field and better prepare for future attacks. In recent years, more and more school districts have been crippled by ransomware and other cyber attacks. To protect themselves from malware infections, hacks, and data breaches, districts must adopt a multi-layered security approach that includes a variety of security tools, such as intrusion detection and prevention systems, installing software patches, and educating users about computer security, said Chris Anderson, CEO of SecureWorks, a Phoenix-based information security research and consulting firm. The district also must develop a backup system for affected devices to restore backups if they are hit with ransomware or other destructive malware, IT executives and analysts said.

It’s a win-win situation, “Rothman said in an interview at the National Association of School Security Professionals (NASP) annual meeting in Las Vegas.

Of course, attempts should be made to prevent attacks, but it is more important to identify them quickly and combat them effectively. All 42 schools in the Rockford District live via email and the Internet, and students bring their own devices and click on things.

The ransomware variant that infected the district affected only certain operating systems, and the Rockford IT team quickly restored Internet access for districts so that students could use Chromebooks and tablets. Bus drivers had to copy their routes in paper form, teachers recorded the presence of the students on paper. Within a day, Barthel said, the county restored access to all applications the provider temporarily hosted in the cloud, as well as to the school’s computers.


For more than two months, the 46-person IT team worked around the clock to rebuild affected servers and computers, restore data from backups, and strengthen prevention, detection, and control. The team improved the backup and recovery process and had snapshots taken of databases taken within 60 minutes of the attack. We were lucky, “Barthel said, but had to have a snapshot taken 60 minutes after the attacks.

A third investigator found that the entry into the ransomware was a phishing email that contained information about the district, which needs more training for employees in computer security.

Given that many technological initiatives are included in our strategic plan, we cannot help but move forward very quickly with many of these technological initiatives.

Barthel and his team resumed IT operations and deployed new security technologies to protect Rockford from future threats. To increase network visibility, the technology department introduced a new Security Toolkit, a security information and event management tool that creates protocols, and Microsoft Advanced Threat Analytics, which analyzes a network and alerts IT staff to suspicious activity.

 The team also installed additional features in the district’s Sophos Endpoint security software that went beyond the signature of viruses and analyzed behavior to block attacks, including ransomware. Rockman County officials plan to conduct user security training and introduce multifactor authentication this year.
They also plan to improve disaster recovery by creating an active configuration of data centers. District officials support and prioritize cybersecurity initiatives, Barthel said, but not all are working together.

The FBI advises against paying thieves for ransomware attacks because it encourages more attacks. We don’t want to see that, but there’s a silver lining, “he said. With the many technological initiatives set out in our strategic plan, we can help to move forward very quickly.



In May 2018, Oregon’s Roseburg Public School was the victim of a ransomware attack that encrypted dozens of the district’s 30 servers. District employees were unable to access business applications and emails, and the school’s website was put offline, said technology coordinator Gary McFarlane. The district restored encrypted backup drives from backups, but sometimes managers feel they have no choice.

There was an opening that shouldn’t have been there, but it allowed remote access to the system, McFarlane said. Cyber criminals gained access by attacking the Remote Desktop Protocol, according to the Office of the Inspector General of the US Department of Homeland Security.

The insurance company Roseburg hired a security firm to recover some, but not all, data and advised the insurer to pay the ransom.

After receiving the decryption key, Roseburg IT employees deleted, rebuilt and rebuilt the affected servers, restored data and restored operations. No information about employees or students was compromised, and the district has learned its lesson and is improving its safety, McFarlane said.

To prevent encryption of backups in the event of a new malware infection, McFarlane has revised the backup process and removed backup servers from the network. Traditional antivirus software has also been replaced by SentinelOne Endpoint security software, which uses behavioral analytics to detect ransomware and other malware.



The cloud is an important component of the cybersecurity of Roseburg, and the student information systems of the district are hosted in the cloud and were therefore not affected by the ransomware infection. After the cyber attack, McFarlane took over Microsoft Office 365 for e-mails and moved all financial software to the cloud.

It’s more of a decentralized model now, “he said, and the risk is spread across the school system, not just the school district itself.

Ransomware and other major cyber attacks have not hit schools in the U.S. as hard as in other parts of the world, such as Europe.

Still, the district continues to rely on security and improved backups to make it harder for cyber thieves to succeed, said Tom Condo, who runs information systems. SCPS, which uses a SonicWall firewall, recently implemented a Cloud Access Security Broker that includes SIEM tools to analyze the environment of districts and the cloud environment to stop cyber threats. The district uses patch management tools to keep its systems up to date, as well as software to back up data to local devices and then to the cloud. Information systems workers said they felt ready to respond, though no district has ever been the victim of a ransomware attack or a cyber attack, Conde said.

We’re constantly talking about what shouldn’t be and when, and we just hope to minimize the impact, “he said.

Barthel spent the first two hours meeting with students, teachers and school staff when a school in Rockford was the victim of a ransomware attack last fall. He said while ransomware infections are common, it’s important for K-12 IT executives to regularly communicate with those affected about the damage and recovery process with those affected.

First, frequent meetings are important for responding to attacks and developing communication strategies. Barthel said while the IT team assessed the damage and reported relevant findings, the meetings were crucial to prioritizing the process of restarting applications and IT systems.

The superintendent had provided the school board with important information about the incident, Barthel said. At the individual school locations, the district administration and the communication committee informed the administration when systems were available. The communications team also kept the board informed of news and social media posts, he said, and administrators reduced the meetings to about once a week, except for two weeks after an incident when several systems were rebooted.

It was important to reassure the general public that there were no breaches of personal and student data, that the schools were safe and that they would continue to operate. IP-based phone systems failed, causing security and communication problems for parents. The district government diverted calls to schools via cellphones, which were distributed to school administrators.


This is just a few of the many cases that happen on a seemingly increasing basis and will only increase as we continue moving forward with distance learning.  It should be all institutions top priority to keep not only the schools information safe but most importantly the faculty and students information as well. Technology offers many solutions to provide end to end security to prevent cyber attacks and ransomware.  Don’t become a statistic like the examples above by waiting till a security breach happens.  Doing so will be much more stressful, will cost your institution a great deal of money and put families in harms way.  Utilize our free services to see what the best cyber security measures are for your schools needs.