Cyber Incident Victim: Clover Park School District
Date:
May 2021
Location:
United States of America
Summary
The Clover Park School District experienced a ransomware attack by the relatively unknown threat actor "PayOrG," who demanded $350,000 with a 21-day deadline to prevent data leaks while offering limited file decryption as proof. The attack caused a system outage disrupting technology services, prompting the district to engage cybersecurity specialists for investigation and advise students to follow outage protocols—virtual learners continued remotely while in-person classes remained unaffected. District communications were limited to an initial social media update, and its website became inaccessible during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 26, 2021, Clover Park School District in Washington state experienced a significant technology disruption initially described as a "system outage." District officials publicly acknowledged they were investigating the root cause of the incident while working with third-party cybersecurity specialists. Internal evidence emerged when an employee provided KIRO7 News with screenshots revealing the outage was actually a ransomware attack claimed by a previously unknown or obscure threat actor group calling themselves "PayOrG" (alternately referenced as "PayOrGrief"). The attackers demanded a $350,000 ransom payment, setting a 21-day deadline before threatening to publish stolen data. While the group did not initially provide proof of data exfiltration or encryption capabilities, they offered to decrypt a limited number of files as verification if the district contacted them via a specified chat channel.
The district implemented contingency measures to maintain educational operations during the disruption, instructing stakeholders to follow existing Power & Internet Outage Guidance. Students engaged in virtual learning continued classwork from home, while those scheduled for in-person attendance proceeded with regular on-site instruction. Despite an initial tweet confirming a "temporary tech issue" and promising updates, the district issued no further public statements about the incident throughout the day. External attempts to access the district’s website that evening failed due to persistent connectivity timeouts. The scope of compromised systems, exact nature of impacted data, and validation of the attackers’ claims remained unconfirmed at the time of reporting, with the investigation ongoing and no disclosed resolution timeline.