Cyber Incident Victim: Las Cruces Public Schools
Date:
Oct 2019
Location:
United States of America
Summary
A ransomware attack forced Las Cruces Public Schools to implement a district-wide computer system shutdown after compromised servers were discovered, disrupting email and digital communications while prompting the activation of crisis response protocols. Despite the network outage, schools maintained normal operations using phones and radios for coordination, with officials initially indicating no evidence of staff or student data compromise. Nearby institutions blocked network access to the district as a precaution against potential malware spread. Recovery efforts focused on containment, system restoration from backups, and assessing the infection's scope, reflecting broader trends of ransomware targeting educational entities due to their operational reliance and perceived vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 29, 2019, Las Cruces Public Schools (LCPS) experienced a ransomware attack that prompted a district-wide shutdown of its computer systems. The IT department identified compromised servers at approximately 7:00 a.m. that morning and immediately disconnected the entire network to contain the infection. This action disabled all computer-based communication systems, including email, forcing staff to rely on telephones and handheld radios for operational coordination. District officials activated their crisis response team to prioritize restoration of critical services, though they could not estimate the duration of the outage. Despite the severity of the incident, schools remained open with classes continuing on schedule, as the attack did not directly disrupt classroom activities. LCPS publicly stated there was no evidence that staff or student data had been breached or compromised during the incident.
The attack triggered precautionary measures across neighboring institutions, with New Mexico State University advising its staff to avoid opening emails originating from LCPS domains due to potential malware risks. Network administrators blocked direct access to LCPS systems and restricted incoming traffic until the threat could be fully assessed. Recovery efforts involved determining the ransomware’s propagation scope, cleansing infected systems, and restoring data—ideally from backups—a process cybersecurity experts noted could require substantial time even when detected early. The incident occurred amid a surge of ransomware attacks targeting U.S. educational institutions in 2019, with contemporaneous reports documenting 54-62 publicly disclosed incidents affecting over 500 schools and colleges nationwide. LCPS’s response mirrored challenges faced by peer districts like Gadsden Independent School District, which was still recovering from a July 2019 Ryuk ransomware attack that crippled its email infrastructure for months. The district maintained public operations throughout the crisis while working to rebuild its compromised technical environment.