Cyber Incident Victim: Willamette University
Date:
Feb 2024
Location:
United States of America
Summary
Willamette University experienced a major cyberattack shortly after hosting a campus Tech Day event featuring cybersecurity awareness discussions, causing widespread system disruptions including website, phone, and network outages that also affected its Portland campus. The institution restored many systems within over a week while continuing recovery efforts, with FBI assistance confirming the incident resembled a prior ransomware attack on another Oregon college involving data encryption and theft by threat actors targeting educational entities. Classes adapted through alternative locations as university teams worked to resolve the incident, which aligns with broader patterns of cybercriminals focusing on smaller organizations with limited resources.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 20, 2024, Willamette University hosted Tech Day, a campus event featuring presentations on digital platforms, artificial intelligence, and cybersecurity. That evening, university officials detected suspicious network activity, later confirmed as a cyberattack. The incident caused immediate disruptions: the university’s website became inaccessible, phone systems failed, WiFi networks went offline, and operations at its Portland campus, the Pacific Northwest College of Art, were also affected. By the morning of February 21, students and employees were notified of the network outage via email, though the university had not yet confirmed the cyberattack’s nature. Over the following week, IT teams restored many systems, though recovery remained ongoing as of early March. University communications director Lauren Mulligan described the process as time-intensive, requiring significant campus resources. The FBI’s Portland office acknowledged awareness of the attack and provided assistance but declined further details. While Willamette withheld specifics about the attack, Mulligan noted similarities to a March 2023 ransomware incident at Lewis & Clark College, where threat actors encrypted systems, stole personal data, and demanded payment. Lewis & Clark had refused to pay the ransom, relying instead on encrypted backups and external cybersecurity experts to restore operations within days.
The cyberattack forced Willamette to adapt academic and administrative functions. Some classes relocated to off-campus Salem venues with reliable WiFi, such as the Reed Opera House, to maintain instruction. Senior Mira Karthik, student body president, reported delays in assignments and tests but praised the university’s regular updates and community resilience. Approximately 2,000 students adjusted to temporary disruptions, with teaching activities like Karthik’s bridge-building course continuing in alternative spaces. FBI supervisory special agent Yaqub Prowell, speaking generally about cybercrime trends, explained that threat actors increasingly target smaller institutions like schools and hospitals, deploying dual strategies of system encryption and data theft. Attackers typically demand bitcoin ransoms for decryption keys and threaten to leak stolen data on the dark web. Prowell emphasized the FBI’s stance against paying ransoms and urged prompt reporting of incidents. Nationally, ransomware attacks remain prevalent, with 2,385 reported cases in 2022 and 44 in Oregon during 2023, though many go unreported. Willamette’s recovery efforts paralleled Lewis & Clark’s reliance on forensic experts and backups, though the university’s full restoration timeline remained unspecified as of the latest reports.