Cyber Incident Victim: Baltimore County Public Schools
Date:
Nov 2020
Location:
United States of America
Summary
A ransomware attack disrupted Baltimore County Public Schools' operations, forcing system-wide shutdowns and canceling online classes for approximately 115,000 students. Critical infrastructure including the district’s website, email services, and grading systems were compromised, with encrypted files bearing a .ryuk extension suggesting potential Ryuk ransomware involvement, though unconfirmed by authorities. While student data exposure remains unclear, the incident halted instruction and required staff to maintain open offices to restore teaching platforms amid ongoing pandemic-related challenges. The school system collaborated with federal and state law enforcement alongside emergency management agencies to investigate the attack, which followed similar incidents targeting other U.S. educational institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A ransomware attack disrupted Baltimore County Public Schools on November 24, 2020, two days before Thanksgiving, forcing the cancellation of online classes for 115,000 students. Technical issues first emerged around 11:30 pm Tuesday when teachers reported difficulties accessing the district’s grading system during end-of-day administrative tasks. The attack escalated during a school board meeting that evening, abruptly terminating the video stream before the session concluded. By Wednesday morning, officials confirmed a "catastrophic attack" had compromised critical technology infrastructure, including the district website, email services, and grade submission platforms. Forensic observations indicated encrypted files bore the .ryuk extension, though authorities did not formally attribute the attack to Ryuk ransomware operators. The school system suspended all student activities for Wednesday and Thursday while maintaining open administrative offices to address the crisis.
Baltimore County Police Chief Melissa Hyatt characterized the investigation as in its "preliminary steps," with collaboration between local, state, and federal law enforcement agencies alongside the Maryland Emergency Management Agency. District Superintendent Darryl L. Williams could not estimate when virtual instruction might resume, emphasizing staff efforts to restore instructional platforms and device functionality for students already impacted by COVID-19 disruptions. No official statements confirmed whether student data was exfiltrated or viewed by unauthorized parties. The incident occurred amid a surge in ransomware attacks targeting U.S. school districts, including a September 2020 breach of Virginia’s Fairfax County Public School System. School offices remained operational to coordinate contingency plans while technical teams worked to mitigate the attack’s effects on educational continuity.