Cyber Incident Victim: J. Sterling Morton high school district
Date:
Nov 2017
Location:
United States of America
Summary
A ransomware incident targeted a high school district through a fake student survey disguised with school branding, prompting victims to enter credentials before displaying a ransom note demanding $10 in Bitcoin. Though the malware did not encrypt files—indicating developmental status—it demonstrated potential for escalation by leveraging targeted social engineering tactics. The attack's low financial demand, basic coding, and hyper-localized focus suggested possible student involvement. Security researchers alerted the district about the threat, though no response was confirmed at the time of reporting. This incident highlighted emerging ransomware trends shifting toward direct, socially engineered attacks rather than broad distribution methods.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-November 2017, students within the J. Sterling Morton High School District in Cicero, Illinois, encountered a ransomware attack disguised as a legitimate student survey. The malware, identified as "J. Sterling Ransomware," presented victims with an interface titled "J. Sterling Student Survey" that incorporated the school district's logos and slogans to appear authentic. Upon execution, the program prompted students to enter an email address, password, and select their school grade level. Though the interface exhibited poor design quality, its use of school branding increased its perceived legitimacy. After users submitted their information, the screen transitioned to a ransom demand claiming files had been encrypted and instructing victims to pay $10 USD in Bitcoin to restore access. Forensic analysis revealed the ransomware was in an early developmental stage, lacking actual file encryption capabilities despite its threatening message. Security researchers attributed the SHA256 hash 5e0b3b06ce66510da523344f963c592ec3d4acf97e5420512c667c6ee89d66b6 to the malicious executable.
The highly targeted nature of the attack, combined with the minimal ransom demand and unsophisticated coding, suggested potential involvement of a student or insider familiar with the district. Unlike broad-spectrum ransomware campaigns distributed via exploit kits or mass email campaigns, this attack specifically leveraged local institutional branding to exploit student trust. While no file encryption occurred during this incident, security analysts warned the malware could evolve rapidly by integrating publicly available encryption routines. Bleeping Computer contacted the school district to alert administrators about the threat but received no response prior to publication. The event demonstrated emerging trends in ransomware tactics shifting toward tailored social engineering rather than indiscriminate distribution methods, though no confirmed data breaches or financial losses were reported from this specific attack vector within the district.