Cyber Incident Victim: Havre Public Schools
Date:
Feb 2020
Location:
United States of America
Summary
Havre Public Schools experienced a ransomware attack using Ryuk malware that encrypted its computer systems, demanding an exorbitant ransom in Bitcoin that far exceeded district resources. The incident prompted an immediate response including disconnecting all networked devices, engaging cybersecurity experts, notifying the FBI, and relying on personal devices for operations. While backups allowed restoration of systems to a pre-attack state, the district permanently lost 20 hard drives and non-sensitive archival data, with no evidence of compromised student or employee information. Post-incident measures included implementing endpoint detection technology to enhance network monitoring and threat response capabilities. The superintendent emphasized preparedness but acknowledged ongoing risks of future attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 10, 2020, Havre Public Schools Superintendent Andy Carlson received a 6:30 a.m. phone call alerting him that ransomware had crippled the district’s computer systems. The attack, identified as Ryuk ransomware, encrypted network drives and resources, deleted shadow copies on endpoints, and disabled system restore options, rendering critical infrastructure inoperable. District staff immediately disconnected all networked devices—computers, phones, and printers—across every building to contain the spread. Administrators and staff resorted to personal cell phones, email accounts, and mobile hotspots to maintain minimal operations while systems remained offline. The district engaged cybersecurity experts, insurance providers, database software support teams, and the FBI to manage the incident. Attackers demanded a ransom estimated in the "tens of millions of dollars" payable in Bitcoin, an amount Superintendent Carlson described as financially unfeasible for the district.
The investigation confirmed no compromise of student or employee data, though the district permanently lost 20 hard drives and archival information unrelated to personnel or student records. Backup systems, unaffected by the attack, allowed the district to restore data to its state as of February 2, 2020. Systems were reactivated incrementally, with all district operations except administrative building computers restored by the end of the week. Post-incident, the district implemented endpoint detection and response technology to monitor network activity and enhance threat detection. Carlson attributed the attack’s origin to a likely phishing email but acknowledged the exact infiltration method might never be determined. He emphasized the non-targeted nature of the incident, noting Ryuk’s association with Russian organized crime and its history of disrupting U.S. organizations, including major newspapers in 2018. While relieved backups prevented catastrophic data loss, Carlson expressed ongoing concerns about future threats, stating the district’s response relied on a preexisting incident plan but cybersecurity risks remained persistent.