Cyber Incident Victim: Cloquet School District
Date:
Aug 2018
Location:
United States of America
Summary
The Cloquet School District experienced two ransomware attacks within three years, with a subsequent incident occurring during summer break. The earlier attack severely disrupted operations, forcing a one-day school closure and infecting district servers along with more than 600 computers. The later incident encrypted files across nearly all servers and shared network drives, though no data theft occurred and impacts were mitigated by the timing during vacation. District technology staff addressed both incidents, recovering systems after the malware encrypted files and restricted access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Cloquet School District experienced ransomware attacks in March 2016 and again in late August 2018. The 2016 incident forced a full-day school cancellation to enable technology staff to address widespread infections affecting district servers and over 600 computers. This attack severely disrupted operations by locking network access and encrypting files, though no explicit ransom demand details were disclosed in available reports. Three years later, during summer vacation in 2018, the district suffered another ransomware attack that encrypted files across all servers except one, including network shared drives. Technology Director T.J. Smith confirmed the malware prevented users from accessing files but found no evidence of data exfiltration or theft.
The 2018 attack’s reduced operational impact compared to 2016 was attributed to its timing during summer break, minimizing disruptions to academic activities. Both incidents involved ransomware propagating across networked systems, encrypting data, and restricting access. The district’s technology team led recovery efforts in both cases, though specific remediation steps—such as whether backups were restored or ransoms paid—were not publicly documented. The 2016 attack required intensive remediation given its scale, while the 2018 event demonstrated persistent vulnerabilities despite prior experience. No third-party forensic reports or attacker attribution details were released by the district regarding either incident.