Cyber Incident Victim: Evangelische Schule St. Marien
Date:
Jan 2022
Location:
Germany
Summary
The Evangelische Schule St. Marien experienced a ransomware attack compromising its servers, with attackers encrypting data and demanding payment for decryption. Sensitive operational information, including teacher-specific details like schedules and course allocations, was rendered inaccessible, though academic records and communication platforms remained unaffected. The institution notified parents, church authorities, data protection officials, and police, declining to engage with the ransom demand. Partial data recovery was achieved through backups, while investigators highlighted the attack’s sophistication and noted such incidents remain uncommon locally. The breach’s origin was unclear, though the school affirmed compliance with security protocols and expressed uncertainty regarding potential data exfiltration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around January 10, 2022, Evangelische Schule St. Marien in Neubrandenburg suffered a ransomware attack targeting its server infrastructure. The intrusion occurred during the night preceding Monday, January 10, when unidentified threat actors encrypted the school's data and delivered a ransom note instructing administrators to contact a specified email address for decryption. School principal Karsten Quaschning confirmed the attack compromised all stored data, rendering it inaccessible. Among the affected information were sensitive operational records, primarily teacher-specific materials such as course schedules and lesson plans, though student grades and certificates remained unaffected. The incident did not disrupt the Microsoft Office 365 platform used for remote learning, preserving instructional continuity. Upon discovery, the school immediately notified parents due to the sensitivity of compromised data, while simultaneously alerting the church (its institutional trustee), the state data protection officer, and relevant data protection authorities. The Neubrandenburg police confirmed receiving a formal complaint on Thursday following the attack and initiated an investigation through their dedicated cybercrime unit.
The school declined to engage with the attackers' financial demands and instead relied on redundant backups to partially restore affected systems. Principal Quaschning emphasized that while critical datasets had been doubly secured—enabling recovery—the full scope of encrypted information remained locked. Police investigators highlighted the attack's sophistication, noting declining reliance on easily detectable phishing tactics like spelling errors. They theorized the ransomware likely required manual activation through user interaction, though the timing (a Sunday with no staff present) raised unresolved questions about initial access vectors. Authorities acknowledged such incidents remained uncommon in the Neubrandenburg region, with some organizations reportedly resolving attacks internally without police involvement. While the state data protection office verified the school's compliance with security protocols, Quaschning stated no evidence indicated data exfiltration, though he could not definitively rule it out. The incident followed high-profile attacks against local government offices in Ludwigslust-Parchim and Nordwestmecklenburg during the preceding year, underscoring regional cybersecurity vulnerabilities.