Cyber Incident Victim: Wawasee Community School Corporation
Date:
Jan 2023
Location:
United States of America
Summary
The Wawasee Community School Corporation experienced a ransomware attack attributed to the BlackCat group, prompting immediate network shutdown and investigations involving state and federal agencies. The incident disrupted operations by compromising Windows-based systems, though Chromebooks remained unaffected and initial assessments suggested student and employee data stored off local servers were not breached. Following the district's refusal to pay the ransom, BlackCat leaked approximately 9.78 GB of allegedly stolen files on their platform, though the download link proved non-functional; the contents and potential exposure of personal information remain unverified as the corporation had not publicly acknowledged the leak. Technology teams worked extensively to restore systems amid ongoing service interruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 20, 2023, at approximately 6 a.m., Wawasee Community School Corporation detected a potential ransomware attack targeting one of its district computers. The technology team immediately initiated network shutdown procedures to contain the threat and launched an investigation into the breach. As part of standard incident response protocols, the corporation notified the Indiana Department of Education, Federal Bureau of Investigation (FBI), and Department of Homeland Security. Subsequent investigation confirmed a ransomware attack had compromised all Windows-based computers, servers, and connected technology systems across the district. This widespread compromise caused significant operational disruptions, forcing staff and students to adapt to alternative procedures while systems remained offline. Despite the extensive impact on infrastructure, the corporation initially assessed that student and employee information remained secure because sensitive data systems were not hosted on local servers. Technology personnel worked continuously to rebuild servers and restore network functionality, anticipating intermittent disruptions to internet-dependent systems for several days during recovery. Chromebook devices issued to students appeared unaffected and continued functioning normally when used off-campus. The administration publicly acknowledged the adaptability of staff and students during the disruption and expressed gratitude to the technology team for their recovery efforts.
Further analysis revealed the BlackCat ransomware group claimed responsibility for the attack. After Wawasee Community School Corporation declined to pay the ransom demand, BlackCat published approximately 9.78 GB of allegedly stolen files on their data leak site in late January 2023. The threat actors did not specify the contents or nature of the exfiltrated data, leaving the potential exposure of personal information unverified. At the time of reporting, the leak site's download functionality was non-operational, preventing independent verification of the data's authenticity or scope. While the school corporation had issued notifications to parents and staff regarding the initial ransomware incident in January, no formal data breach disclosure appeared on the district's official website following BlackCat's leak announcement. The corporation maintained its original position regarding data security, reiterating that critical information systems were not locally hosted, though the validity of this assessment remained untested due to the inaccessible nature of the leaked files. Recovery efforts continued with a focus on restoring educational operations while monitoring for potential developments related to the data leak claim.