Cyber Incident Victim: Proctor School District
Date:
Dec 2017
Location:
United States of America
Summary
The Proctor School District experienced a ransomware attack affecting middle and high school computers left powered on over a weekend, resulting in locked Microsoft Word files while student data and payroll systems remained uncompromised. The district engaged a forensic firm to identify the initial infection point and develop a decryption solution, explicitly refusing to pay any future ransom demands despite no specific amount being requested by the attacker at the time of reporting. Authorities had not yet been notified regarding the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Proctor School District experienced a ransomware attack during a weekend in December 2017, impacting operational systems at its middle and high schools. Malicious software encrypted Microsoft Word files stored on computers that remained powered on over the weekend, rendering the data inaccessible to staff. Superintendent John Engelking confirmed the compromise affected only these active systems, with student records and payroll information remaining secure due to their storage on separate systems not targeted in the incident. District personnel discovered the encryption upon returning to work, though the exact detection method was not disclosed. The attack exclusively impacted educational and administrative workstations rather than centralized servers, limiting data exposure but disrupting document-dependent operations. No ransomware payment demand had been received by the district at the time of initial reporting, eliminating immediate financial extortion pressure.
In response, district leadership engaged a digital forensics firm to investigate the incident's origin and develop countermeasures without capitulating to potential ransom demands. The forensic team prioritized identifying "patient zero"—the initial infected computer—to understand the attack vector and contain further spread. Engelking publicly stated the district would refuse any future payment requests, establishing a non-negotiation stance early in the crisis. While authorities had not been formally notified as of the report date, the involvement of specialized external investigators indicated a technical rather than law enforcement-driven mitigation strategy. The district maintained operations using unaffected systems while the forensic team worked to create decryption tools to recover locked files. The attack's limited propagation to only powered-on computers suggested either network segmentation or ransomware functionality dependent on continuous system connectivity, though the initial infection method remained undetermined by investigators.